urelas | 5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Size

537KB
MD5

d20fee1a424647bee9f78e3942ba37f9
SHA1

a2c0bf2a4ce15eb5a151eadd37a1d51e9e87e3ac
SHA256

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757
SHA512

9bb9a502cee133b023d26d23e28a1037cb41f896e5c80e7e97f6e78eec42e53dceae1fa7600a9cd0bb9adb73b06f28be6442cb1eaada08de9afff8571a2b0e5f
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPH:q0P/k4lb2wKatH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exeekzim.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ekzim.exe

Executes dropped EXE 2 IoCs

Processes:

ekzim.exeyrrop.exe

pid	Process
1600	ekzim.exe
2588	yrrop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exeekzim.execmd.exeyrrop.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekzim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrrop.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yrrop.exe

pid	Process
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe
2588	yrrop.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exeekzim.exe

description	pid	Process	procid_target
PID 4720 wrote to memory of 1600	4720	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	84
PID 4720 wrote to memory of 1600	4720	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	84
PID 4720 wrote to memory of 1600	4720	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	84
PID 4720 wrote to memory of 4872	4720	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	87
PID 4720 wrote to memory of 4872	4720	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	87
PID 4720 wrote to memory of 4872	4720	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	87
PID 1600 wrote to memory of 2588	1600	ekzim.exe	96
PID 1600 wrote to memory of 2588	1600	ekzim.exe	96
PID 1600 wrote to memory of 2588	1600	ekzim.exe	96

C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
"C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\ekzim.exe
  "C:\Users\Admin\AppData\Local\Temp\ekzim.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\yrrop.exe
    "C:\Users\Admin\AppData\Local\Temp\yrrop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c2eb983e8ced9ab28290b9e78fa44f80

SHA1
051ec107b9b7f56da21bd418b07489c414162000

SHA256
ad3ec2686dea0acd066b44085130ef74ac8fc02ac49452d000045557bade23b8

SHA512
df30a2c2b746442b37e4280e56605b0380a3f98bd0af45abb800f34cfd4fea33ace316131f1be74d0c1dcc720c29b4502d6a897a184ce9c89462b97d5a880332

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekzim.exe

Filesize
537KB

MD5
db5155c8a15d57e29e873d7eb8fa2801

SHA1
53375ffb59312e4b9fe1567c99717fc43f10e0bb

SHA256
e61d7f08409bdc613406d310829410e8f1382dbfffc6b398edf8bc058c8e3c99

SHA512
8025a18929b2e9c6d92e72163f638de46cb340c2978fedb3ccd20f1ab7808664f5f6f4450a38d264eaaeb314fb580e2697efc478eff0d54c14323430502e34f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
88c75db3a6973a0eeb29a74975a76533

SHA1
e80c29b9cb84f0a534bed347ad310017308b9d28

SHA256
e55653569358181241110b07c5ed2f06abbb5248dc4d30fa55c0fe7c20a51871

SHA512
25d9497c5c89fa07ea36cb824864bcccf0ebd3e8489edba9164777da61badc94cd2ca6e3d50e61c2cb09b3c64c17cf45e72f8c789dc3d2d1b10ab7c46e0fdb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrrop.exe

Filesize
236KB

MD5
accacd4f9ad753ab2307d832f67d560a

SHA1
c6d931deb751a7a7fed24c2d50a31c1952e235c4

SHA256
45488de86eebc8a6a55f3f1a842267fe106573ecc4ddc59f79e75402b198860a

SHA512
928b70a1f0f0a9b4213d047e49f5537f4762639041b5a9d2637305da1fa8a30cf3ff7e00cbc7de264096d495b656bc8db2bde83a06d60c40c238047a00b38256

Download Submit
memory/1600-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1600-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2588-26-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2588-25-0x0000000000230000-0x00000000002D3000-memory.dmp

Filesize
652KB

Download
memory/2588-29-0x0000000000230000-0x00000000002D3000-memory.dmp

Filesize
652KB

Download
memory/2588-30-0x0000000000230000-0x00000000002D3000-memory.dmp

Filesize
652KB

Download
memory/2588-31-0x0000000000230000-0x00000000002D3000-memory.dmp

Filesize
652KB

Download
memory/2588-32-0x0000000000230000-0x00000000002D3000-memory.dmp

Filesize
652KB

Download
memory/2588-33-0x0000000000230000-0x00000000002D3000-memory.dmp

Filesize
652KB

Download
memory/4720-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4720-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download