urelas | c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Size

597KB
MD5

8fd85ee4b09ceab66733ac13dbf09e1d
SHA1

0bf74e1ba4927b718ae922b89f149fb75236efd0
SHA256

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c
SHA512

3ba8695775b981fe2ad4a8ee025dea547d58789213849b2b681448452b2921fe43876dfa7a2aece26aaee3aed10366761c159c1b829ffb5022c997d0fe4dc3bc
SSDEEP

6144:KzU7blKaPcbhj+bB7ktZeRnVDJm0oNjOPdInpB8:MU7MLb4BQkntwNjqdx

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bewir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe

Executes dropped EXE 2 IoCs

pid	Process
1088	bewir.exe
3256	ycxen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bewir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycxen.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe
3256	ycxen.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 1088	3592	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	84
PID 3592 wrote to memory of 1088	3592	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	84
PID 3592 wrote to memory of 1088	3592	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	84
PID 3592 wrote to memory of 1480	3592	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	85
PID 3592 wrote to memory of 1480	3592	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	85
PID 3592 wrote to memory of 1480	3592	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	85
PID 1088 wrote to memory of 3256	1088	bewir.exe	94
PID 1088 wrote to memory of 3256	1088	bewir.exe	94
PID 1088 wrote to memory of 3256	1088	bewir.exe	94

C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
"C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\bewir.exe
  "C:\Users\Admin\AppData\Local\Temp\bewir.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\ycxen.exe
    "C:\Users\Admin\AppData\Local\Temp\ycxen.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b45e2f663f7f9bc2d10eb8e125539218

SHA1
01e788019befaf86df514a2b888ee8041406c745

SHA256
e29e4674cb422acbffadff5f79d7f611cd78322d03913757cea07401bcfd2405

SHA512
25d818b7fbe97c858a6aa61424e553fc5056cc9f1c22759e107a40d3d6d6b5a099e488dad6e15c5cbe11ef0750e6d3c80aaa47b99bed89e79da451a4729b96e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bewir.exe

Filesize
597KB

MD5
b2b07cebe1b63fb0ee1a2d72992e69ae

SHA1
9cebf0aac0c7c43e5b8ca5d9f00c2670507536e9

SHA256
cced1846d6a38ea9089ad6a4bcefe7f0202abc1e4651411a69a93769dfdc95d8

SHA512
a4fe7447a82a6828b331547894860c4074d88e15a729aba8ffa2bf818804594c9cd3603aa5bd923869c4bc1ea76208d4d25a35800f1887f177191e962dcedcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
12e81212b26d75997c74326eef3ec54d

SHA1
c967c8f1cdfbf083c83da7a48904c46354423ed9

SHA256
6c97733d01231a73786d9df05831c35b07d7c785387675d93b2acd3fc8932683

SHA512
3aa5fdfb5466880d6d8ce046cb6c98ae77383e1951a498c433b6b4a5d425e8eb7905c8fe93cdec97b0f2aeedbe667c483395e77326e4a9ec7a7b2b78c8de072d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycxen.exe

Filesize
211KB

MD5
a2ba2f50610764229982c8dbae1dc4a5

SHA1
f0572514f78485d93b94217ffd3a1318708f3251

SHA256
62efffb477c904320f6ef17b53f5850b76b05b687be0fe1d3f36707be7f64155

SHA512
616bce77c63589276ac84a0339c73fe6121e75c28fdf0461efab51eb94afc8afbc97c8ceab525a8dba620aa39063de5f9a12f92f9a8c94bde633bf98d72d897c

Download Submit
memory/1088-27-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1088-16-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3256-26-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3256-25-0x0000000000380000-0x0000000000431000-memory.dmp

Filesize
708KB

Download
memory/3256-30-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3256-29-0x0000000000380000-0x0000000000431000-memory.dmp

Filesize
708KB

Download
memory/3256-31-0x0000000000380000-0x0000000000431000-memory.dmp

Filesize
708KB

Download
memory/3256-32-0x0000000000380000-0x0000000000431000-memory.dmp

Filesize
708KB

Download
memory/3256-33-0x0000000000380000-0x0000000000431000-memory.dmp

Filesize
708KB

Download
memory/3256-34-0x0000000000380000-0x0000000000431000-memory.dmp

Filesize
708KB

Download
memory/3592-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3592-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download