urelas | 1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe
Size

48KB
MD5

d6bf5d60b44618978503a040a5532224
SHA1

d83131212352901df3140ea7c77e808c7bae9e8d
SHA256

1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6
SHA512

2be6ae1afc899dae34cddae9b53fae62993de67ff78dfb7d42c0a48fde3a20e6105ded37e6bcbbf8ae895311a1bbae265b08fef483ae0cb0d8a59b19c40787f9
SSDEEP

1536:Op4/PC7Ruz3hRXRASULZ6JKYdbzcm6lMPR9nE:Qt7R8fU6nWs3E

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe

Executes dropped EXE 1 IoCs

pid	Process
3180	okoser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okoser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 3180	1172	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe	83
PID 1172 wrote to memory of 3180	1172	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe	83
PID 1172 wrote to memory of 3180	1172	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe	83
PID 1172 wrote to memory of 4576	1172	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe	84
PID 1172 wrote to memory of 4576	1172	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe	84
PID 1172 wrote to memory of 4576	1172	1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe	84

C:\Users\Admin\AppData\Local\Temp\1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe
"C:\Users\Admin\AppData\Local\Temp\1426fa71c4361e62b95dd48e571bd9bc9de984823c11ad0023a830eb252c46c6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\okoser.exe
  "C:\Users\Admin\AppData\Local\Temp\okoser.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0b43271388568b7282d66a2022f2bb0e

SHA1
695af294c1646f82e9c8a319d1650c272d461e2a

SHA256
773878c526d8643ae94343d9a082c0cc75596a3b1bdce71691010908d42cacc5

SHA512
1708dbd74eb867a0a1516ddc9e9edc06b2ec902695611ad0670ef1a706d9661344ed71c44cebed87146f85683d8742d42d9b1ede934ebad828191a045e131321

Download Submit
C:\Users\Admin\AppData\Local\Temp\okoser.exe

Filesize
48KB

MD5
b486fc18be264c14061fd539fc0a0a02

SHA1
f0bfe68f23f9cab570d40962e622d2d2bffc5684

SHA256
6d0edd8740583909c501fcf1e6949e4df782df4803494d444eab804ec6c8e43d

SHA512
3a5dc35264d249cba4e9ce4b8977828fdb1fd49e4be570bec8448bfd370bad50a07f7de2f5aa4acebdd1f9a972f1f58bac1a6924c92298c0a5d166480cb0a60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
e0b5593673bbf0c0bc8591381c9d8546

SHA1
856cc2d283b74b3b83521d37556b685d795cdc3f

SHA256
aaf5d0f341f34766eb6d7b32a4519e2addd56ea4845378790e91800fbf0884c3

SHA512
2db0f8f262b1f90893d64d4fff8bb17292f9222af9516a18ada3566202637136e78ca5510a3e843ad81bdc495a4dcf5587a2f084d0e35edd36a441c49026f085

Download Submit
memory/1172-0-0x00000000009A0000-0x00000000009D3000-memory.dmp

Filesize
204KB

Download
memory/1172-15-0x00000000009A0000-0x00000000009D3000-memory.dmp

Filesize
204KB

Download
memory/3180-12-0x0000000000480000-0x00000000004B3000-memory.dmp

Filesize
204KB

Download
memory/3180-18-0x0000000000480000-0x00000000004B3000-memory.dmp

Filesize
204KB

Download
memory/3180-20-0x0000000000480000-0x00000000004B3000-memory.dmp

Filesize
204KB

Download
memory/3180-26-0x0000000000480000-0x00000000004B3000-memory.dmp

Filesize
204KB

Download