urelas | 3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Size

537KB
MD5

d8d3f06c0e9aea69858a74a5fec62a7a
SHA1

7a041b1f9fcd3d3fdd32b16c13d3780022c76be6
SHA256

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731
SHA512

58a0794cb708db9dcd08326efdbf09175f906b03229f0bdd3411059d0d0fd057a2a2a0a4e500375fa0a8d21302fcf96726be4565b92af9e5d240a64f6d1ec3e7
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeyqber.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	yqber.exe

Executes dropped EXE 2 IoCs

Processes:

yqber.exenypua.exe

pid	Process
400	yqber.exe
3868	nypua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeyqber.execmd.exenypua.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nypua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nypua.exe

pid	Process
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe
3868	nypua.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeyqber.exe

description	pid	Process	procid_target
PID 5004 wrote to memory of 400	5004	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	84
PID 5004 wrote to memory of 400	5004	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	84
PID 5004 wrote to memory of 400	5004	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	84
PID 5004 wrote to memory of 4856	5004	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	85
PID 5004 wrote to memory of 4856	5004	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	85
PID 5004 wrote to memory of 4856	5004	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	85
PID 400 wrote to memory of 3868	400	yqber.exe	96
PID 400 wrote to memory of 3868	400	yqber.exe	96
PID 400 wrote to memory of 3868	400	yqber.exe	96

C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
"C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\yqber.exe
  "C:\Users\Admin\AppData\Local\Temp\yqber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\nypua.exe
    "C:\Users\Admin\AppData\Local\Temp\nypua.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3647d5e7ac42a51cbda230969692b578

SHA1
69008a4017886dc9dc03e35e270c0b0a6f0d16c3

SHA256
65d2e40876acecbf4845a8918792e6b3c3ec4902bbac03e4a8b491d5e019eb9e

SHA512
4067b6a4667bf14d2f2f097a334d8c8ce25643df177d835c5b9fea64c020a225319a4402e51e5a6607665eddcbe45538bc8f558b3683d3c7675beb8b6059794f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
53c4d91e7974901d89c052f970ce3f44

SHA1
6219af30a18e84699e98c8cb7af52ddfcd99558d

SHA256
ef08189e35f8c40d5e28cdc7be2f0fff20f4fb5686d42095ea10b61857cee854

SHA512
eab6bdcb3317ef9d1ddcd7f3d27246d06f160b39a0de9faecc3737b5138ea0409c2d2a3c3d670ead02cf6af33f5b0f596ffb4f5002c640b5c3f9fbe66cb9f502

Download Submit
C:\Users\Admin\AppData\Local\Temp\nypua.exe

Filesize
236KB

MD5
d12ad4e1412ad43134a8c450437769ee

SHA1
730b1aca81babb53b57dc00ed7b579d6673ede20

SHA256
fbff7a62334094f243df6f86d24e9dbb5fbd3f005513a25996776a389857cc30

SHA512
ddaaae3fb8ee1d007fcef03f548911955ff8477b7a85102b8de25486794d5eb3227247852f56a72d556cc5ec6bac4f29659f054fd40a79f1a7c0806bf40e09ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqber.exe

Filesize
537KB

MD5
01ffe7d848988ed543430729abd59918

SHA1
196db4ece6e9456c5e31596efa23e46abc63ef45

SHA256
9f9f592dbe3a189fef7152482244333e55232c9006d65d040bc4aa5e3b618b1f

SHA512
112f6c914fba95bf5a834415358526d5fb04e02266cd31e04e6429298c7e7e981b939b9d4a0393c0f543a8e0620b13e25501b3920b34beb6c37a609372707a0f

Download Submit
memory/400-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/400-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3868-25-0x0000000000D80000-0x0000000000E23000-memory.dmp

Filesize
652KB

Download
memory/3868-27-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/3868-29-0x0000000000D80000-0x0000000000E23000-memory.dmp

Filesize
652KB

Download
memory/3868-30-0x0000000000D80000-0x0000000000E23000-memory.dmp

Filesize
652KB

Download
memory/3868-31-0x0000000000D80000-0x0000000000E23000-memory.dmp

Filesize
652KB

Download
memory/3868-32-0x0000000000D80000-0x0000000000E23000-memory.dmp

Filesize
652KB

Download
memory/3868-33-0x0000000000D80000-0x0000000000E23000-memory.dmp

Filesize
652KB

Download
memory/5004-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5004-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download