urelas | d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
Size

327KB
MD5

21aa8a97134af1d02680d1663104bff5
SHA1

831ddd59a95c1c636e5a436e759ca8e2ce92cb87
SHA256

d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc
SHA512

be46e879c6295a7894ca01bf70e5a0ad41eed05977f6b37f334cdf798d7ec0d0ad7199c70cfef5eef1061e6218cbe4a24855949cb7891c7e28cbfd8a00e854ad
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66ci7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exeuxumh.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	uxumh.exe

Executes dropped EXE 2 IoCs

Processes:

uxumh.exeyvorj.exe

pid	Process
4220	uxumh.exe
3116	yvorj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

yvorj.exed1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exeuxumh.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvorj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxumh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yvorj.exe

pid	Process
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe
3116	yvorj.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exeuxumh.exe

description	pid	Process	procid_target
PID 220 wrote to memory of 4220	220	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	87
PID 220 wrote to memory of 4220	220	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	87
PID 220 wrote to memory of 4220	220	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	87
PID 220 wrote to memory of 60	220	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	88
PID 220 wrote to memory of 60	220	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	88
PID 220 wrote to memory of 60	220	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	88
PID 4220 wrote to memory of 3116	4220	uxumh.exe	106
PID 4220 wrote to memory of 3116	4220	uxumh.exe	106
PID 4220 wrote to memory of 3116	4220	uxumh.exe	106

C:\Users\Admin\AppData\Local\Temp\d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
"C:\Users\Admin\AppData\Local\Temp\d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\uxumh.exe
  "C:\Users\Admin\AppData\Local\Temp\uxumh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\yvorj.exe
    "C:\Users\Admin\AppData\Local\Temp\yvorj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1b9ff2150ddd1e9755f7aa1e4a0f45e5

SHA1
54de279e4de57893783f503bdc41ea27aa7f0bf7

SHA256
ff1093f77a866b52f10cdf6488e5a1496abda1f80a8a9ae00fe5e5c02a7070b8

SHA512
839cf53d4563e0ec6d825e302b00d5fb66fc29cc31845dfaf3137cc135b95497efc88f5c48603f104b525ed0d0693958c2f83b6660ec3bfa2b3d7e2af47c8108

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a2f5cf06bf8bb4f9f8db15f6b2d5dbfe

SHA1
53775f8fabf3ad9bf2066567dcb5ea8abe63822f

SHA256
118e230911d45ba2895f5af164da3b7f4c2e366953f5010d3ed385e3e01c14ee

SHA512
ff9289363aea0821241c4db77e0507e2070949c370d79241f8ed70e6f4fbc29be3da7bffe35fa471050cbecb53d96a4e07abb20444a4d44f27b37d345c5d1b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxumh.exe

Filesize
327KB

MD5
6fe362b183130f65cb170338296a6368

SHA1
bd9d4754056b8092296c1f45ee159fe2b3b2f0d2

SHA256
18d2747decf20ad59c1c507bcb892db477e66284b8eab5ae4dd3522ef556780c

SHA512
c10d8366b5aeb4d58e2ed159f9f3b6a4dc992b99d45e74d5198d7d1e64acf8b847e74161931f125a5ca2b62c1f1cfa6cad135b05153ec88b14eb5fcdffd21c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvorj.exe

Filesize
172KB

MD5
9bc051e993a3afd4a7e7377928b7eda5

SHA1
8655884c57a4b5df647f0662bb03c640a3d52a21

SHA256
4d5d47d2d4f428eb543199c92bd3cf33d9840e72f211f0f7675c1992ab042734

SHA512
d829f5c4a31025aa373b845fadb83a91618e91d51bd4c9cc3564418ffee8b80232c3ed828e3446c34689e649ffa07f1561609b14fd1c234b85d95dfcccea6265

Download Submit
memory/220-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/220-0-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/220-16-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/3116-45-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/3116-42-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/3116-50-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/3116-49-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/3116-40-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/3116-39-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/3116-48-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/3116-47-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/3116-46-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/4220-14-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4220-20-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4220-38-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download
memory/4220-11-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download
memory/4220-19-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download