urelas | f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe
Size

441KB
MD5

9e0b301908800e45d47a15d9eebb6fad
SHA1

7b8785b18bd3f5a04488b1c5c4b4a9f7b9593152
SHA256

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec
SHA512

df5fda3ef654d1587f76d008390cdc0b579bedb61738a8d48c8fee801efab6a8c8d32dc66298a29d1dfcc9b737ae5cb96030a6677c1656f80e55304f2a52fd2d
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjH:oMpASIcWYx2U6hAJQnQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fakonu.exef2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exemozex.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fakonu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mozex.exe

Executes dropped EXE 3 IoCs

Processes:

mozex.exefakonu.exewygin.exe

pid	Process
4932	mozex.exe
1360	fakonu.exe
1648	wygin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mozex.execmd.exefakonu.exewygin.execmd.exef2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mozex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fakonu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wygin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wygin.exe

pid	Process
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe
1648	wygin.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exemozex.exefakonu.exe

description	pid	Process	procid_target
PID 4436 wrote to memory of 4932	4436	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	82
PID 4436 wrote to memory of 4932	4436	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	82
PID 4436 wrote to memory of 4932	4436	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	82
PID 4436 wrote to memory of 1000	4436	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	83
PID 4436 wrote to memory of 1000	4436	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	83
PID 4436 wrote to memory of 1000	4436	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	83
PID 4932 wrote to memory of 1360	4932	mozex.exe	85
PID 4932 wrote to memory of 1360	4932	mozex.exe	85
PID 4932 wrote to memory of 1360	4932	mozex.exe	85
PID 1360 wrote to memory of 1648	1360	fakonu.exe	95
PID 1360 wrote to memory of 1648	1360	fakonu.exe	95
PID 1360 wrote to memory of 1648	1360	fakonu.exe	95
PID 1360 wrote to memory of 1724	1360	fakonu.exe	96
PID 1360 wrote to memory of 1724	1360	fakonu.exe	96
PID 1360 wrote to memory of 1724	1360	fakonu.exe	96

C:\Users\Admin\AppData\Local\Temp\f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe
"C:\Users\Admin\AppData\Local\Temp\f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\mozex.exe
  "C:\Users\Admin\AppData\Local\Temp\mozex.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\fakonu.exe
    "C:\Users\Admin\AppData\Local\Temp\fakonu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\wygin.exe
      "C:\Users\Admin\AppData\Local\Temp\wygin.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5a4b1cb4ae31fb6de81731a486cfb550

SHA1
28153c0087a3684bc5247563b57dfcce1ec9e84e

SHA256
b3a895ea408ab9ca32991a846f21072edd3ca3bdcdb53d6321370a3a1c4baecb

SHA512
044cc43f8f9e0dd49ec2d4651b3e9086ae046b8d82774946513db2adaff5e1cf85e522eb6f5e08bfcb369e1d842de571ae3e6c97ee68c90d33a90cbac6e21beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
897ae547cc18c1605a33dd34f0e827d5

SHA1
a350ab98a6e97edb382e58f76fc47ebe239abd20

SHA256
8a056a1ef5e8816d0451d43482728ce80fc997a4ba9357004b86788c86d54bf8

SHA512
7e3bbc21d9a75918854552d743c842ae3ca5a49257e57faa07273546db1ea4d3edd82d9f0baac2f01d2f772e22f9553d8509e6067ed7bd4745c4c663ea2705a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fakonu.exe

Filesize
441KB

MD5
ce793fb1203d50bbd0be71cb9fb7d734

SHA1
ff9d523248aa7c5aca7f23517884c6c84e5e3170

SHA256
7b441ec3fa29aefa8213b3d6dd9ce6391df3dc1a3b08cb8897865e238ec0b901

SHA512
b65fdf24a3a740be9f036ebf6ee9993050e06e50ab4fb9c0c6d65d3f4b34097607df6700571701d19537fad1b40f9cfad9f19130bed1e97f78895d40e7ce63d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7463884bf1128eeee1434aad015f539c

SHA1
040f86883d85f9f06b51212bb20a3a1653a712f9

SHA256
a59c1103b70b0c9db305bc30799aa9af6aa06435a4c7936dc376bc90dbe54ff0

SHA512
104d0d7da0c29a88e3ae7a8cb93278eb35dd93db5ddb2368769ec967ba38f6deae1c068280d293762c54ea5e96bdab93673b83f789d81955cccce82822a9fee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozex.exe

Filesize
441KB

MD5
133f4e9ce3d7a940971079ac8b08dd1f

SHA1
e4fc199731dd3966a965662111380039a7335d00

SHA256
a2ba8a40967249abf4a4f2eb50968e2182b46e9fd7f732f23e02af7f18c09b05

SHA512
bd0767297e42da25669e1ee9afbdd951e5431981b8a8e77a92e1954b7229366bd01c5bb79be20f10769fba832a946d8318e04c023a3e4d9e960d3d58f655835a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wygin.exe

Filesize
223KB

MD5
ecc022911db9ac9639c1064a1fbb9107

SHA1
eb6c9c6fa5b3b9dd173cdeeab1df052553c927cf

SHA256
5d68a09a5e34d1d1724287317cf280ff6ed084791417347340c577ea14033c4d

SHA512
7f23e1ed5489a47c2e6c38b0faffe52a22ba755cf955f553ad04fe649c1892ee044c9aa9638d8b2fb62eab1608931166b56dbf100a97c02681a1ed254b3a84df

Download Submit
memory/1360-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1360-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1360-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1648-46-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/1648-44-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/1648-47-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/1648-45-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/1648-39-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/1648-43-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/4436-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4436-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4932-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4932-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download