urelas | e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Size

440KB
MD5

a40cb26479ed7aa42946772c7b2e7021
SHA1

b768c64e7ba1bb171ac3d0acf1a43390f1d214bf
SHA256

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0
SHA512

d60f24ca50d22575a1fdd28636ea6238e5da657a6a9d4ea07eb2a117eef59e4bbe7c442ff9318feeb534779cc6f37a9e743d18eb54b21ed2bd0eeab67c046f22
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjP:oMpASIcWYx2U6hAJQng

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wynufy.exee7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exeazxof.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wynufy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	azxof.exe

Executes dropped EXE 3 IoCs

Processes:

azxof.exewynufy.exeuxysa.exe

pid	Process
464	azxof.exe
2316	wynufy.exe
2468	uxysa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exewynufy.exeuxysa.execmd.exee7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exeazxof.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wynufy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxysa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azxof.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

uxysa.exe

pid	Process
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe
2468	uxysa.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exeazxof.exewynufy.exe

description	pid	Process	procid_target
PID 5004 wrote to memory of 464	5004	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	84
PID 5004 wrote to memory of 464	5004	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	84
PID 5004 wrote to memory of 464	5004	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	84
PID 5004 wrote to memory of 3960	5004	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	85
PID 5004 wrote to memory of 3960	5004	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	85
PID 5004 wrote to memory of 3960	5004	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	85
PID 464 wrote to memory of 2316	464	azxof.exe	87
PID 464 wrote to memory of 2316	464	azxof.exe	87
PID 464 wrote to memory of 2316	464	azxof.exe	87
PID 2316 wrote to memory of 2468	2316	wynufy.exe	97
PID 2316 wrote to memory of 2468	2316	wynufy.exe	97
PID 2316 wrote to memory of 2468	2316	wynufy.exe	97
PID 2316 wrote to memory of 1848	2316	wynufy.exe	98
PID 2316 wrote to memory of 1848	2316	wynufy.exe	98
PID 2316 wrote to memory of 1848	2316	wynufy.exe	98

C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
"C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\azxof.exe
  "C:\Users\Admin\AppData\Local\Temp\azxof.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\wynufy.exe
    "C:\Users\Admin\AppData\Local\Temp\wynufy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\uxysa.exe
      "C:\Users\Admin\AppData\Local\Temp\uxysa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a22128a0e27f510960630f47d21b26e3

SHA1
c03946b2ff9740ccbe1f3338e29139ff44b098d5

SHA256
f8693144f47eb65536b9f642fc6bf3dc2c188604da7feb1d30e409ac0ac610e9

SHA512
ba2c079cc49924849f7b3e1c51d2b4dbd0a38699b29faf763e60418689898a4e6a960f4a3a4c11ef1210457cbc789c9ddbc05716ebd1aca6f2800950a175257b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b23730e95b71c653c3d0a3bea8724c5d

SHA1
b13f909a42dc9d13082f543aef1e53adaad821f3

SHA256
e1f01373c6afddad4b3ba7a3c78e2e0e09147366cf7708d28e3daae5cc2cfcc0

SHA512
e4bdecdfb3df8b3f168f6381e8abfa618bd517ab3cdc549c16bf22b68baf2827dd4322012e57978869298cd03f8ac4c8401015e4bade9fc31b4c19aafed6dc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\azxof.exe

Filesize
440KB

MD5
f37c3971c5bd9895030726d061927bc7

SHA1
8ee78d485865ea1f16390f76715378324a13928e

SHA256
09700608efc5cc2456e77e5cdfcdaa473de67a72360fdf979f70e49e93210e31

SHA512
dc9397fcc667c0a8187faf1b40fa9100ff4add4b878f061660cb82e81caae909df7f595909d6c242f3fd9b2604d2eb1aa2657f22d9efc036d62ff36aad42a8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b1b46a2626dd3bac0404c5f7d0732372

SHA1
bb6148c93a170619e8e329a422831f63daf9759c

SHA256
5366b7af067d55e6adc1b6a862bd9ad040813954241e0499a9bb302fbb0e9684

SHA512
fb6a57b9f55e04b13e16e85fe5b2ca1ec11978095d3be031b805e3c1805bd508a027489a1115e2da9ea546f137277eb0ae15c0607d1636f5abdb0d473711ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxysa.exe

Filesize
223KB

MD5
b8af767ad40a93df9c346696bf5945af

SHA1
7f7bd63d505576af08cad1d1ee94adf312953e43

SHA256
df83c9f4ad1438562d95567b6551b05630276a703757266b060b4ed2fb254707

SHA512
f4061c0ce7f7af7b796bbc8ab527491bac382b02c1a4c9837d9e7989a9d9c83861487f57712a1e6dec71224e4202b5544548f23ca34589cbe72030ed8c2ee7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wynufy.exe

Filesize
440KB

MD5
ddfac1208bd6c1a207bc4d60c09f7fa0

SHA1
59895381186ac934156592173463282d4c1c9498

SHA256
27625c1b2a61ea7506064d971222d8aecee1a8ea25a188f1769601d15946e53c

SHA512
98dc337abb10cdfcc45237b68e88f2595fda0394eed103e0cbe6a393d03d2bb794cbf686ff59c9fee28b6638fe3afaca73f084bfb8082384e844191ae3701514

Download Submit
memory/464-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2316-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2316-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2316-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2468-37-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2468-42-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2468-43-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2468-44-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2468-45-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2468-46-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/5004-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5004-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download