urelas | 2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Size

349KB
MD5

9702b572151322ec6add6c75e2714321
SHA1

db5fa995483243c855ea05496797d4d121d4fa65
SHA256

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0
SHA512

c1690a85b45eca670fac4d94adf24b19a1c096374261e5cf1393d6d9cbed3dfff28ac57947120c6cff25c79dd8c8cb6abe396b30785b126c0e918185649c11c5
SSDEEP

6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZD:A0G5obGGraOpUWlpm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uwfege.exe2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exedihim.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	uwfege.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dihim.exe

Executes dropped EXE 3 IoCs

Processes:

dihim.exeuwfege.exebylem.exe

pid	Process
4524	dihim.exe
4192	uwfege.exe
4592	bylem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bylem.execmd.exe2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exedihim.execmd.exeuwfege.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bylem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dihim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uwfege.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bylem.exe

pid	Process
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe
4592	bylem.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exedihim.exeuwfege.exe

description	pid	Process	procid_target
PID 1520 wrote to memory of 4524	1520	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	82
PID 1520 wrote to memory of 4524	1520	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	82
PID 1520 wrote to memory of 4524	1520	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	82
PID 1520 wrote to memory of 3320	1520	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	83
PID 1520 wrote to memory of 3320	1520	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	83
PID 1520 wrote to memory of 3320	1520	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	83
PID 4524 wrote to memory of 4192	4524	dihim.exe	85
PID 4524 wrote to memory of 4192	4524	dihim.exe	85
PID 4524 wrote to memory of 4192	4524	dihim.exe	85
PID 4192 wrote to memory of 4592	4192	uwfege.exe	95
PID 4192 wrote to memory of 4592	4192	uwfege.exe	95
PID 4192 wrote to memory of 4592	4192	uwfege.exe	95
PID 4192 wrote to memory of 2816	4192	uwfege.exe	96
PID 4192 wrote to memory of 2816	4192	uwfege.exe	96
PID 4192 wrote to memory of 2816	4192	uwfege.exe	96

C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
"C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\dihim.exe
  "C:\Users\Admin\AppData\Local\Temp\dihim.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\uwfege.exe
    "C:\Users\Admin\AppData\Local\Temp\uwfege.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\bylem.exe
      "C:\Users\Admin\AppData\Local\Temp\bylem.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a3771de8613d5ddad61fec511f2edb3c

SHA1
9042a48c78bfce87a1d9fd821442ff1170bc37b4

SHA256
c74b1d4f3677665e549acebb596f825099bbe2c80379f83b34fe54c9a88a8202

SHA512
4e0b1ac036dec3c68a377b49d485ff1795dcd31816238d9857606f507ead106ce72dc70e1ea533b555b64514aa9572e1a23a2b139dfbe8b2a1ab3e3262db3bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f84fed65cea974b07ec408ac3362297b

SHA1
4d556df9abe4a1fac6a37571e2393e50c52b264e

SHA256
61a05b8ce3aeef049aaa6e1f54cbf3124a6495e31c62dccde02b81e2edc1caa1

SHA512
bae84c3cd3da1e3a53d6cbbf7a24094778d487cca106655f6c30a0213dec1e5c53844171193d890225cc21f782506687b94897aa5bf5da61447ae710be860057

Download Submit
C:\Users\Admin\AppData\Local\Temp\bylem.exe

Filesize
115KB

MD5
948fced993cbd91446ddcdf88f0b5385

SHA1
aa9541d25e3c155f47b1160c5231a927849dbd3b

SHA256
7b025812e836e1348c45ee24a237bb1f25368d7978000813468364cd504dc5a6

SHA512
7471a3b899092993c677b0a30db703ce927e9102a7439c6f6cb4292c9829d065bd27230e73ad3d1ddc53133e940d1c21778a70aa45052664f1d56ac7e6a33235

Download Submit
C:\Users\Admin\AppData\Local\Temp\dihim.exe

Filesize
349KB

MD5
76f572a22d97c69c2c68ba6551e72aa9

SHA1
6527391abc2054223b362353d4dc4b6a2b745179

SHA256
32bf5b97ce40dd0b04e1b02e1acbb4f2cb499d7acf3b74b7e14bfd83886e588d

SHA512
94da3d7dfc1c94e7904bbad73749f0c03ddb3c4c0758fb3bd7a91b5550b190dc3bd1df191fea018701cb73f7fbb81ebb818da49fe5032b3df8508ca9862c646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e2df7ebf3616e153f54b841f8e005675

SHA1
8c4783db6fb8d2ff4c78715b28b67cce9eaa3ba0

SHA256
e587c5807c4f210e9b9305267f7b46e4e056091f2d79a5535a1df0beb51ca3e6

SHA512
034c784662f6aacf8696c1d513fe735fdc94268a672c6949a96c93ad22dda0e13ab416fc6ca3d13cc2618692e4c44fda9507fc384ed71f9290b64cf67f6d7938

Download Submit
memory/1520-14-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1520-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4192-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4192-39-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4524-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4592-36-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/4592-41-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/4592-42-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/4592-43-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/4592-44-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/4592-45-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download
memory/4592-46-0x0000000000120000-0x00000000001A2000-memory.dmp

Filesize
520KB

Download