urelas | 133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
Size

337KB
MD5

39d8703f1b708b28f39401d39084363c
SHA1

d3ff0688c161c0829a07d65f17e618b805bc1cc0
SHA256

133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691
SHA512

45871b125f10e63a6f38c3612e757ae3a2fa0648bf1d0f49ef663882fbcbbf68aeb3805570a1fd834e805e681b6eea9611fa05574b9ce201946d77fbf06cfcd2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYpI:vHW138/iXWlK885rKlGSekcj66ciEI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	zumif.exe

Executes dropped EXE 2 IoCs

pid	Process
1436	zumif.exe
4460	fydij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zumif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fydij.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe
4460	fydij.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1436	2816	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	83
PID 2816 wrote to memory of 1436	2816	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	83
PID 2816 wrote to memory of 1436	2816	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	83
PID 2816 wrote to memory of 1636	2816	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	84
PID 2816 wrote to memory of 1636	2816	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	84
PID 2816 wrote to memory of 1636	2816	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	84
PID 1436 wrote to memory of 4460	1436	zumif.exe	103
PID 1436 wrote to memory of 4460	1436	zumif.exe	103
PID 1436 wrote to memory of 4460	1436	zumif.exe	103

C:\Users\Admin\AppData\Local\Temp\133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
"C:\Users\Admin\AppData\Local\Temp\133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\zumif.exe
  "C:\Users\Admin\AppData\Local\Temp\zumif.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\fydij.exe
    "C:\Users\Admin\AppData\Local\Temp\fydij.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fa03093f919777d4b59a7d49d7440b2a

SHA1
1b4dcf5d738d48f599d613e34955a7b27b2996da

SHA256
d78493474650eae90d361a0fbdb8c87ee8d017b2ccd8150097251a929dbae2ea

SHA512
63320e32c15909edd0dc7100426b1e58175febf45ab280b1ad28ae5abdefc8d2746226573592f4878a170476273664fefcb21b8b2be4623ee8167f7f04189a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\fydij.exe

Filesize
172KB

MD5
325e357d6f2f4f8c1c0d837b8d1e56fb

SHA1
7624ba0f010931caa51d2eb9ec46adc794479de4

SHA256
5b482c4fe94c192409f07be3322b8e11f09008b500277ea0cb16ca6126cec22f

SHA512
e134b50dc689940c76dcb4745e63d867646f4415e75738325ea3670b7638c9deaa2c74a3256b310511d14593f838b6b53ee9c22515c2e8667508163372a003bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
29d5d502efaf4b7d1e5e8b879112d1b1

SHA1
6099057ddf7016baa8e4993ed32d1163eee1f9ea

SHA256
a3a9e4a700158772774fb3cf64cbe97a142f857dc24cffb2c3907e33828f96d7

SHA512
f41e38c9b16b7154b5d6b071ceede7e6cba7dface40bc29f4dade021b4b90f1a2db2fa85cfa37908a7c44de02b9a2c7b87e51047b6c94495becc1177d1ce8564

Download Submit
C:\Users\Admin\AppData\Local\Temp\zumif.exe

Filesize
337KB

MD5
667cc712b40e941eebc00a41a89d3dba

SHA1
bf73faec8678f59db29271c2e8966fb4ee17b76a

SHA256
ced1add48ae731bca7b349d389c5eeacb6cbc2e1692e2b783544c9e21603f679

SHA512
171f2664bc395bda4d7d06974a58015f1f1074850ddd7a3cdc5e1d19e197a1c277f47766469ef9347c4d0f968b59ad2ce13c9c018d97a8bca698c019f2b80dd6

Download Submit
memory/1436-21-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/1436-40-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/1436-15-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1436-14-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/1436-20-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2816-17-0x0000000000D20000-0x0000000000DA1000-memory.dmp

Filesize
516KB

Download
memory/2816-0-0x0000000000D20000-0x0000000000DA1000-memory.dmp

Filesize
516KB

Download
memory/2816-1-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4460-37-0x0000000000990000-0x0000000000A29000-memory.dmp

Filesize
612KB

Download
memory/4460-44-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download
memory/4460-41-0x0000000000990000-0x0000000000A29000-memory.dmp

Filesize
612KB

Download
memory/4460-46-0x0000000000990000-0x0000000000A29000-memory.dmp

Filesize
612KB

Download
memory/4460-47-0x0000000000990000-0x0000000000A29000-memory.dmp

Filesize
612KB

Download
memory/4460-48-0x0000000000990000-0x0000000000A29000-memory.dmp

Filesize
612KB

Download
memory/4460-49-0x0000000000990000-0x0000000000A29000-memory.dmp

Filesize
612KB

Download
memory/4460-50-0x0000000000990000-0x0000000000A29000-memory.dmp

Filesize
612KB

Download