urelas | 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
Size

660KB
MD5

3251cb0860e7baaf7de35db27328da62
SHA1

b4c461c408d7bddb5b431c1a73b3cdf21709b18d
SHA256

4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02
SHA512

0059cb85e1116bcf6c53dc8c92cda2d6d14b7309a99c5599d6c9238ee8b808e0dc6e694f7f9fe8d3acdb78253a0198c04b013a6eaa6fcb949170c62bd3e208fb
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqLS:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0s

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	kolio.exe

Executes dropped EXE 2 IoCs

pid	Process
4652	kolio.exe
2720	sodas.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1532-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/files/0x000a000000023b5e-6.dat	upx
behavioral2/memory/1532-13-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/4652-16-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/files/0x000800000001e786-21.dat	upx
behavioral2/memory/4652-26-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2720-25-0x00000000006B0000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/2720-27-0x00000000006B0000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/2720-28-0x00000000006B0000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/2720-29-0x00000000006B0000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/2720-30-0x00000000006B0000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/2720-31-0x00000000006B0000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/2720-32-0x00000000006B0000-0x000000000076A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kolio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sodas.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
4652	kolio.exe
4652	kolio.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe
2720	sodas.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 4652	1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	83
PID 1532 wrote to memory of 4652	1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	83
PID 1532 wrote to memory of 4652	1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	83
PID 1532 wrote to memory of 2008	1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	84
PID 1532 wrote to memory of 2008	1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	84
PID 1532 wrote to memory of 2008	1532	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	84
PID 4652 wrote to memory of 2720	4652	kolio.exe	101
PID 4652 wrote to memory of 2720	4652	kolio.exe	101
PID 4652 wrote to memory of 2720	4652	kolio.exe	101

C:\Users\Admin\AppData\Local\Temp\4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
"C:\Users\Admin\AppData\Local\Temp\4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\kolio.exe
  "C:\Users\Admin\AppData\Local\Temp\kolio.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\sodas.exe
    "C:\Users\Admin\AppData\Local\Temp\sodas.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
b5d7e82c11d42300f1bd6b48c1ee79fc

SHA1
2d94b64506c949a244560edc529f18f71e8ff36c

SHA256
dda2262ad63b118de3301081e95a6168dc042c51876ba180ecd072c8dd1cb5b5

SHA512
225fa8d76aaf11a7474fc541f7f2c9d9e08d741909015ebf4631ad70afc568f7f27f6200ced896e38a3b2e0ae4ac2a2914dc61a7ec21941eee9742f93abdbbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
62bc4223c1310fb358a64bf1aa86e748

SHA1
1ac559377b273288370ae96376da62e5a25d0b0b

SHA256
e88aeffe7a1c8bf09f292c42a31caa7d880cbe43319a8b2dea624be23abd57a8

SHA512
c0f78c4cf145bb17f5ea2736172195561c8f5fbde3b13f850da32cfc7e090c6ea8bf56ce7a0ea897131a2f17aa40422a6b8f29cdd648af737a4791d5bd5b714d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kolio.exe

Filesize
660KB

MD5
ef00a326734ca1f0b7b682cf8babfbbd

SHA1
18210ed7237ffaee69d57ec5bf2ffaae5ba87600

SHA256
465822a9148be9c4ccc4657665b6e8b6350d3c1c85d53792dbd0361e6cb4c3fe

SHA512
ab5cae6461be8ebe199927e36ca216333a7f9a0ab584bf4269194b9b51bf58a2194250644682c9ace037f6893a15b4932ac48eaf556fc3a0e51e0b6be1167364

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodas.exe

Filesize
243KB

MD5
0122996eec8abc8ca7be80ed34eb42a0

SHA1
41a8727e7f76ab6b60b416b1e4bb48cf59a7a9c7

SHA256
ee12692eceafff7653f075c88c0080d4d0776192f7833155fa871a85cf8efe05

SHA512
f33207dd80d08bf9a8f6aa85429557999df437c5f467ae02fae3d0e4ac840a9874297caf53cc53dd90db6d7fbbbc564538c0dfacefe5d98a3d55f8f3f468fe71

Download Submit
memory/1532-13-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1532-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2720-25-0x00000000006B0000-0x000000000076A000-memory.dmp

Filesize
744KB

Download
memory/2720-27-0x00000000006B0000-0x000000000076A000-memory.dmp

Filesize
744KB

Download
memory/2720-28-0x00000000006B0000-0x000000000076A000-memory.dmp

Filesize
744KB

Download
memory/2720-29-0x00000000006B0000-0x000000000076A000-memory.dmp

Filesize
744KB

Download
memory/2720-30-0x00000000006B0000-0x000000000076A000-memory.dmp

Filesize
744KB

Download
memory/2720-31-0x00000000006B0000-0x000000000076A000-memory.dmp

Filesize
744KB

Download
memory/2720-32-0x00000000006B0000-0x000000000076A000-memory.dmp

Filesize
744KB

Download
memory/4652-16-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4652-26-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download