urelas | 914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Size

440KB
MD5

2fdc20c1e32fa67a507b5ffca485c8c2
SHA1

0b6d7cf42541f7127679a98c0e998349e15ee8f4
SHA256

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04
SHA512

7ae476b7952eb479c3b7931ed71a7cf2c9f0894f5ccff2ad130c327f5a8b91f18c49c892a0a723e3ba3bc53194a39a56f7e58dce1de0a85ba6a425d136afc01a
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjC:oMpASIcWYx2U6hAJQnr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uxbiug.exe914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exeokawp.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	uxbiug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	okawp.exe

Executes dropped EXE 3 IoCs

Processes:

okawp.exeuxbiug.execoluk.exe

pid	Process
4408	okawp.exe
1296	uxbiug.exe
3300	coluk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exeokawp.execmd.exeuxbiug.execoluk.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okawp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxbiug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coluk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

coluk.exe

pid	Process
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe
3300	coluk.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exeokawp.exeuxbiug.exe

description	pid	Process	procid_target
PID 4432 wrote to memory of 4408	4432	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	83
PID 4432 wrote to memory of 4408	4432	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	83
PID 4432 wrote to memory of 4408	4432	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	83
PID 4432 wrote to memory of 324	4432	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	84
PID 4432 wrote to memory of 324	4432	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	84
PID 4432 wrote to memory of 324	4432	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	84
PID 4408 wrote to memory of 1296	4408	okawp.exe	86
PID 4408 wrote to memory of 1296	4408	okawp.exe	86
PID 4408 wrote to memory of 1296	4408	okawp.exe	86
PID 1296 wrote to memory of 3300	1296	uxbiug.exe	103
PID 1296 wrote to memory of 3300	1296	uxbiug.exe	103
PID 1296 wrote to memory of 3300	1296	uxbiug.exe	103
PID 1296 wrote to memory of 4412	1296	uxbiug.exe	104
PID 1296 wrote to memory of 4412	1296	uxbiug.exe	104
PID 1296 wrote to memory of 4412	1296	uxbiug.exe	104

C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
"C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\okawp.exe
  "C:\Users\Admin\AppData\Local\Temp\okawp.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\uxbiug.exe
    "C:\Users\Admin\AppData\Local\Temp\uxbiug.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\coluk.exe
      "C:\Users\Admin\AppData\Local\Temp\coluk.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
68200eab02c0012c584982c8c50a41fd

SHA1
d1ef3de28ed8f42626548642192aaed54924caa1

SHA256
8d0e17351660cb38b2b7df5ac89a2c01952af6a6939f31c03f85dbf96a420860

SHA512
e47ca87343222ecb6f08fa92d65078621a196aaf3592ca323563afeea06ba9fa0bac96b239dbe8ed773b9edd4a8cf2cc4cb3e2f14ee3c0c17e7e814c9df768b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
335337b9377ce25dc6f425bdb4710c04

SHA1
0e8d1b3a4625acfa3e90f192a756b9bd3cf2b459

SHA256
ecde50a9f50d9d109ba4263d4256a708da68f8c57f2354c35c5243df3fb35d98

SHA512
88e01ba11170f66387d77a4c558945845e6255a74f41da7a9c3ff1fa37d8ce7d6e13113e70a6546a56ad46e17da9d806c8e3c3b63308f865a90badabdc9a601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\coluk.exe

Filesize
223KB

MD5
563abeed75e0b8dac23ae67906ede069

SHA1
6477f880995217bb31440b6a67a0e554625ec31d

SHA256
00b343c1ed275fafa4d506cdcf83b44f0914f38c1676f003ff6ff3a2cc93cc56

SHA512
cda3ca709e545934c7f6f54a3c9c7dbb0a37fe6c77d1521d6d8fd06973aad382c3dcb33a7dca5483e90d46fbf5ee6d6be584f5d556f8a5958150dc96fb502838

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
93f352d2987227c95ff86f8f523e4813

SHA1
33b0801839be12283d57785e3c5e42afd3300dbc

SHA256
063e6c1632d1a6a8ff653274ee4f73140486b3c15c3a296152532919c12b1c3c

SHA512
a243ce95cb6abba67da40fad6cdfbb0143f98f5d7d13be3e94466cf9adf84ffe4f01c86fb81dec5350ad1ce36c3a7ba3183cc67e73324aa0f303a24e9b90570f

Download Submit
C:\Users\Admin\AppData\Local\Temp\okawp.exe

Filesize
440KB

MD5
b6bb0cbf544598388bc72f33d5679601

SHA1
e0008441decda1ed6bf7f3f27fee6cb9a7e5c692

SHA256
ae95f41875ced43b6a452a5de85786f4cd79e25384675d66d876c149ba8383f4

SHA512
b2be084027089c76a402bd08bbe1b686dea073a6901818e94111d16281eece37671b502e3f3e703ded91e34326123513231ea95c0a6f1972f18f5849adbbf02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxbiug.exe

Filesize
441KB

MD5
3b61fb68899377dc5318e9d27c87fc73

SHA1
b928b4b813a0fed59e107abb7c454db6f3b1fb00

SHA256
bdd5062f15da8b491021101e956d9fbd7fb0f3b733903ec085f6b8ca0294c149

SHA512
67ba25b2b65483f053676730b2c13641b3313f2e7710b1a7a4342889639922fa0394926f69eb0bda4de91e48a0bf3d9330d8486db4f57ed24a3a7dff68e53d7d

Download Submit
memory/1296-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1296-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3300-36-0x0000000000580000-0x0000000000620000-memory.dmp

Filesize
640KB

Download
memory/3300-41-0x0000000000580000-0x0000000000620000-memory.dmp

Filesize
640KB

Download
memory/3300-42-0x0000000000580000-0x0000000000620000-memory.dmp

Filesize
640KB

Download
memory/3300-43-0x0000000000580000-0x0000000000620000-memory.dmp

Filesize
640KB

Download
memory/3300-44-0x0000000000580000-0x0000000000620000-memory.dmp

Filesize
640KB

Download
memory/3300-45-0x0000000000580000-0x0000000000620000-memory.dmp

Filesize
640KB

Download
memory/4408-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4432-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4432-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download