urelas | 9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Size

348KB
MD5

a89691f3add0a3fa328f60dacbb8e2aa
SHA1

a3fcdd5e991e835f7956c6ef5b30bb9c7f59b8a1
SHA256

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4
SHA512

409ad5f9e81d11f26b543611e327b1575589568bd6cebe568b3ff379f1361221a1e4a3925ecbe1ea51628d06d702309e6aa6c2182eb2100b340a8a1ef6e5e8fd
SSDEEP

6144:8/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZ5c:g0G5obGGraOpUWlpZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exehovux.exegahoci.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	hovux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	gahoci.exe

Executes dropped EXE 3 IoCs

Processes:

hovux.exegahoci.exemejyc.exe

pid	Process
4768	hovux.exe
4596	gahoci.exe
5084	mejyc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exehovux.exegahoci.execmd.exemejyc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gahoci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mejyc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mejyc.exe

pid	Process
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe
5084	mejyc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exehovux.exegahoci.exe

description	pid	Process	procid_target
PID 3916 wrote to memory of 4768	3916	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	82
PID 3916 wrote to memory of 4768	3916	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	82
PID 3916 wrote to memory of 4768	3916	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	82
PID 3916 wrote to memory of 3084	3916	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	83
PID 3916 wrote to memory of 3084	3916	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	83
PID 3916 wrote to memory of 3084	3916	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	83
PID 4768 wrote to memory of 4596	4768	hovux.exe	85
PID 4768 wrote to memory of 4596	4768	hovux.exe	85
PID 4768 wrote to memory of 4596	4768	hovux.exe	85
PID 4596 wrote to memory of 5084	4596	gahoci.exe	95
PID 4596 wrote to memory of 5084	4596	gahoci.exe	95
PID 4596 wrote to memory of 5084	4596	gahoci.exe	95
PID 4596 wrote to memory of 2052	4596	gahoci.exe	96
PID 4596 wrote to memory of 2052	4596	gahoci.exe	96
PID 4596 wrote to memory of 2052	4596	gahoci.exe	96

C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
"C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\hovux.exe
  "C:\Users\Admin\AppData\Local\Temp\hovux.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\gahoci.exe
    "C:\Users\Admin\AppData\Local\Temp\gahoci.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\mejyc.exe
      "C:\Users\Admin\AppData\Local\Temp\mejyc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f2ae8246f3927151f352e04b2e3a603f

SHA1
68b53101d1b8bb79de11eaf3d1926f1d1d25e91b

SHA256
254dc6af7bef48c10c54b6885317e242b65967c2ccffbe6503d5eeaf7caeab65

SHA512
18e5e3f9f1115fe4c1e99453a8a6d9489dd6c42f3c9b09cea599be3cfcc3ab28dd21e4e60af658424ef093a549211d2ad6c1e5ae1809875267cd2f974587e67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
653e0ea96239d102a4563ca7889d00f8

SHA1
2b110828051be6c839ebb84de245895894690d07

SHA256
cd9b422071058ca2f986b59dd4d7645b6ea8f847007b0e2d9da91e63ff2605a8

SHA512
d362465fad330371cd15539ca3cd753d0f13aa83ee9b631401b40104761d3645b92cc46ea50dbe5b20db6a35caaa54616bdc1aaab9663d93901721b724b1997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1b9d488d51dc98ce690faa917c228133

SHA1
7cdc031c04ec5d5e721fec7f670c8ca9009e6ae7

SHA256
bcadb7167340f21844745ed155eabd0ba33a88042ded290795312d39f0b873d2

SHA512
360338bbca9c9d6bd0d9ec87e1d76527b1c5f6d94aa1be6d92ace0a52c924f0bfade5c742a2e64419caa3b93f6356b947bb5e506df7608df33802e3d85a3a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\hovux.exe

Filesize
348KB

MD5
43b5d63fa610db5a752f9e033ead98f7

SHA1
86418385478f4a5095f8662a2069815afe8e1bea

SHA256
9138d0b9d922cab59faece8fca657e7f25cf441d1dbf51d28252aa0b6e63682e

SHA512
55844ab652abcdde007c6702e0cd2289810cd522f5949ffd17830c0603be79453b335df573671abc19cc0a083be272360ee0e06952dd03a528e92b5151fb7229

Download Submit
C:\Users\Admin\AppData\Local\Temp\mejyc.exe

Filesize
115KB

MD5
2543c5aabe34daf0cb8105819fb88c1d

SHA1
a4eea4d446084ab6b0961ac990dd1c225ef03fb3

SHA256
1c73da24cf861b64d2f99b2923e8c9da31b963bf091975cea1e45b0c32802294

SHA512
46fa0ef08b22610d1a4a8a817fd47f128faabf6941c6b012bf8bb9a506c2c4f519a07008452266584432d684956cd8e7f446ac78775be298d326a9c06425ca0f

Download Submit
memory/3916-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3916-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4596-40-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4596-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4596-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4768-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5084-38-0x0000000000E70000-0x0000000000EF2000-memory.dmp

Filesize
520KB

Download
memory/5084-42-0x0000000000E70000-0x0000000000EF2000-memory.dmp

Filesize
520KB

Download
memory/5084-43-0x0000000000E70000-0x0000000000EF2000-memory.dmp

Filesize
520KB

Download
memory/5084-44-0x0000000000E70000-0x0000000000EF2000-memory.dmp

Filesize
520KB

Download