urelas | 2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0

Analysis

max time kernel
119s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Size

349KB
MD5

9702b572151322ec6add6c75e2714321
SHA1

db5fa995483243c855ea05496797d4d121d4fa65
SHA256

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0
SHA512

c1690a85b45eca670fac4d94adf24b19a1c096374261e5cf1393d6d9cbed3dfff28ac57947120c6cff25c79dd8c8cb6abe396b30785b126c0e918185649c11c5
SSDEEP

6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZD:A0G5obGGraOpUWlpm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	padoi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	zizyip.exe

Executes dropped EXE 3 IoCs

pid	Process
4964	padoi.exe
2716	zizyip.exe
4696	inpeg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inpeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	padoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zizyip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe
4696	inpeg.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4964	3680	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	82
PID 3680 wrote to memory of 4964	3680	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	82
PID 3680 wrote to memory of 4964	3680	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	82
PID 3680 wrote to memory of 1616	3680	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	83
PID 3680 wrote to memory of 1616	3680	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	83
PID 3680 wrote to memory of 1616	3680	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	83
PID 4964 wrote to memory of 2716	4964	padoi.exe	85
PID 4964 wrote to memory of 2716	4964	padoi.exe	85
PID 4964 wrote to memory of 2716	4964	padoi.exe	85
PID 2716 wrote to memory of 4696	2716	zizyip.exe	95
PID 2716 wrote to memory of 4696	2716	zizyip.exe	95
PID 2716 wrote to memory of 4696	2716	zizyip.exe	95
PID 2716 wrote to memory of 3552	2716	zizyip.exe	96
PID 2716 wrote to memory of 3552	2716	zizyip.exe	96
PID 2716 wrote to memory of 3552	2716	zizyip.exe	96

C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
"C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\padoi.exe
  "C:\Users\Admin\AppData\Local\Temp\padoi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\zizyip.exe
    "C:\Users\Admin\AppData\Local\Temp\zizyip.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\inpeg.exe
      "C:\Users\Admin\AppData\Local\Temp\inpeg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f84fed65cea974b07ec408ac3362297b

SHA1
4d556df9abe4a1fac6a37571e2393e50c52b264e

SHA256
61a05b8ce3aeef049aaa6e1f54cbf3124a6495e31c62dccde02b81e2edc1caa1

SHA512
bae84c3cd3da1e3a53d6cbbf7a24094778d487cca106655f6c30a0213dec1e5c53844171193d890225cc21f782506687b94897aa5bf5da61447ae710be860057

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9217f806e37bb08750ce92ecc1dd8844

SHA1
b520db7d30c56a1ee4f9f3213531bbbfe550ada7

SHA256
7818881a3b8562a67cef379cafbfd4e2dc3dcdb9b3349b781d76d41ae4deda5b

SHA512
11235740a80df0d10b2e521bdadda1a4609c6efc643e32458466fe40b3b3d8db5dd39442d74c32783344d47659e24a31b2df6bbdea25c946ecfcf9e05a48a940

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a20dbf26e860b250af65f32cdffa5afa

SHA1
7b79e73c7cee46800386a9abc55ea8e41bf36970

SHA256
4390a962c428356a8c8b58e02d5539283ef0ef22a5b1bdc937a932297b6085a0

SHA512
7ba7ed3740e9aa973d9860232d59233180015dc54899b1a05a383ba306b051319176a12b6383640b9b1bfd4d5be343efe6b5712c6e34d8688f935bb388dd891a

Download Submit
C:\Users\Admin\AppData\Local\Temp\inpeg.exe

Filesize
115KB

MD5
d5398195e88fa1a0a7dfb1184913722d

SHA1
9c934647165ceba106b4a705e289946e7571b507

SHA256
24ba094651e2ae9328814fed2e856da34802607ee2bdfd36d7ddb302ecaf03d0

SHA512
ccc444f76e2411dab6d28fa9f518a15907bf6becd10042efa953354d3a95967e1c92803ed7c05d4df082999a3e3b55709c0b18cb07cdc95434b18e20f94e5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\padoi.exe

Filesize
349KB

MD5
0e3d5071d8dc5c74bf8c25e6e6670979

SHA1
ef9edc3457fb0dbb876309600f51ec24704e11b7

SHA256
7987924c8c195d58107412595078e5f58c2e7d27e340e0050ae96b4468383744

SHA512
6c353b00e68cd33951606b4668df430d0747dcc72cd932edd6ffaca01cb880e6dbd5be2adf4de0bed84b1e562c5ea1dd24c43009faca94ee8a2c7c6ab972c689

Download Submit
memory/2716-27-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2716-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2716-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3680-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3680-16-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4696-39-0x00000000006F0000-0x0000000000772000-memory.dmp

Filesize
520KB

Download
memory/4696-43-0x00000000006F0000-0x0000000000772000-memory.dmp

Filesize
520KB

Download
memory/4696-44-0x00000000006F0000-0x0000000000772000-memory.dmp

Filesize
520KB

Download
memory/4696-45-0x00000000006F0000-0x0000000000772000-memory.dmp

Filesize
520KB

Download
memory/4964-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4964-12-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download