urelas | 04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
Size

448KB
MD5

1ed68cb1d469c04c1d1c48e84dffd855
SHA1

4f9c195a777ab598b131b45f60b401ff3f5f72aa
SHA256

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb
SHA512

292b13bf860c98f5ca1ceb2cbaad63680142f5436ed532fd6d5692289678d53fd2766fca3e17a9a236f90a1face2e1b5f646d62ffa166dd59afdd95cc1b744cf
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpomr:PMpASIcWYx2U6hAJQny

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uzjei.exeagojes.exe04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	uzjei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	agojes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe

Executes dropped EXE 3 IoCs

Processes:

uzjei.exeagojes.exeozvec.exe

pid	Process
3636	uzjei.exe
2272	agojes.exe
2288	ozvec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exeuzjei.execmd.exeagojes.exeozvec.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzjei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agojes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozvec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ozvec.exe

pid	Process
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe
2288	ozvec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exeuzjei.exeagojes.exe

description	pid	Process	procid_target
PID 4152 wrote to memory of 3636	4152	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	83
PID 4152 wrote to memory of 3636	4152	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	83
PID 4152 wrote to memory of 3636	4152	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	83
PID 4152 wrote to memory of 3844	4152	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	84
PID 4152 wrote to memory of 3844	4152	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	84
PID 4152 wrote to memory of 3844	4152	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	84
PID 3636 wrote to memory of 2272	3636	uzjei.exe	86
PID 3636 wrote to memory of 2272	3636	uzjei.exe	86
PID 3636 wrote to memory of 2272	3636	uzjei.exe	86
PID 2272 wrote to memory of 2288	2272	agojes.exe	104
PID 2272 wrote to memory of 2288	2272	agojes.exe	104
PID 2272 wrote to memory of 2288	2272	agojes.exe	104
PID 2272 wrote to memory of 956	2272	agojes.exe	105
PID 2272 wrote to memory of 956	2272	agojes.exe	105
PID 2272 wrote to memory of 956	2272	agojes.exe	105

C:\Users\Admin\AppData\Local\Temp\04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
"C:\Users\Admin\AppData\Local\Temp\04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\uzjei.exe
  "C:\Users\Admin\AppData\Local\Temp\uzjei.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\agojes.exe
    "C:\Users\Admin\AppData\Local\Temp\agojes.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\ozvec.exe
      "C:\Users\Admin\AppData\Local\Temp\ozvec.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3eff156aa769b29febd5753b69a157c7

SHA1
fa4d5966c0c984ea9492a0cd84756e45f9c497c0

SHA256
9367945ea043fea76c302f973a981c1d1f1da9e3876107c6a797d5c375cfd5cd

SHA512
ce672fc32a3831949d353ef9045c4c60a700ad17ac7fc881e1ca0c24cca04660268625ba95b30d7731e642e265ac04abbd233e5efb117419f3e6223ae3237432

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
0719ec55cb7b679978eacd06bb5f5cb5

SHA1
7d0d8432dede6a2b53e039d6b9d4d1b014ab46aa

SHA256
9bb74dc5e00b2ce46a41c47bcdbe27320fc1f877f55971bfc7fd3438a857d5e3

SHA512
7ee23835c499637fd0b2c3bc773690e5109e8508e6288441e1861dd3291024bd9b7e5e4d8015955d073947cb81094d5b4fd3275e35273b169609a89b553144a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\agojes.exe

Filesize
448KB

MD5
efaadb89d7f959dcd920fe6a19537b7e

SHA1
5bb55d57b8b9827731671ef0edef808664b810ca

SHA256
5f3f6a1d2c174a66288b20544f3ec83acf9e07a0cf970ace2381df18b7959aaf

SHA512
1f3bfc8e4d7886edbc1be16ed2fd0f23c6e373994573c72d27a3930264accbbe5976c10cf76d0dfa4acb59f548d83133c50d63a229954310250fad46c43be69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
500a5b6ee473dd553916ed963228d639

SHA1
4e538b1a2d95a577c4720e6f2212081490cab37c

SHA256
2e0d26689fbd78ce9a0acf7258fa7509333447b041ae093dc190ab3313e564df

SHA512
c96c4013e0124fba50415fcc5ffc5e3ce3e1e367bf642638cbe5b81796fe08774d759045980acb477586baeacdbcbb95a112c49531de2e37e74b87fadcc183f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozvec.exe

Filesize
223KB

MD5
dd7e0aa02c76b6a0444b254b3bbb9773

SHA1
d8d63837acda12d5f0a0576e3d2d9999deb2fddd

SHA256
c62ac83a04aa7181e7777ed7d6f59689c10442815e117ab39459d6f35792e850

SHA512
5fc4ce3e66b9349678bd031aa98817ceedd5dd6eadb065dae266437264f377997dae5664a88470568da7e6ef2f17df4e8ec491efb16cba804f9599d7ab76e5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzjei.exe

Filesize
448KB

MD5
734c2cb09e495038eedc5c2ddc7a0a6b

SHA1
d9ecd73c6c08187067b6f3278bca305b74c2113b

SHA256
6ddb3d821765340d4100fcc4ce1096987cbf88d79bdc1691c7b5acfe5c087b09

SHA512
2860feeec9ad148fde36641046ad206fb695fd23902fb5ff2cbca2629707effc084f80a7483adfb26e147417b75659ac894b5099d3d83439d1191c64edc63492

Download Submit
memory/2272-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2272-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2288-36-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/2288-42-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/2288-43-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/2288-44-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/2288-45-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/2288-46-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/3636-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3636-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4152-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4152-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download