urelas | 9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Size

348KB
MD5

a89691f3add0a3fa328f60dacbb8e2aa
SHA1

a3fcdd5e991e835f7956c6ef5b30bb9c7f59b8a1
SHA256

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4
SHA512

409ad5f9e81d11f26b543611e327b1575589568bd6cebe568b3ff379f1361221a1e4a3925ecbe1ea51628d06d702309e6aa6c2182eb2100b340a8a1ef6e5e8fd
SSDEEP

6144:8/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZ5c:g0G5obGGraOpUWlpZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exeevehp.exevucavu.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	evehp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	vucavu.exe

Executes dropped EXE 3 IoCs

Processes:

evehp.exevucavu.exesijuu.exe

pid	Process
3660	evehp.exe
4108	vucavu.exe
4436	sijuu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exeevehp.execmd.exevucavu.exesijuu.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vucavu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sijuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sijuu.exe

pid	Process
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe
4436	sijuu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exeevehp.exevucavu.exe

description	pid	Process	procid_target
PID 3736 wrote to memory of 3660	3736	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	83
PID 3736 wrote to memory of 3660	3736	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	83
PID 3736 wrote to memory of 3660	3736	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	83
PID 3736 wrote to memory of 4080	3736	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	84
PID 3736 wrote to memory of 4080	3736	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	84
PID 3736 wrote to memory of 4080	3736	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	84
PID 3660 wrote to memory of 4108	3660	evehp.exe	86
PID 3660 wrote to memory of 4108	3660	evehp.exe	86
PID 3660 wrote to memory of 4108	3660	evehp.exe	86
PID 4108 wrote to memory of 4436	4108	vucavu.exe	103
PID 4108 wrote to memory of 4436	4108	vucavu.exe	103
PID 4108 wrote to memory of 4436	4108	vucavu.exe	103
PID 4108 wrote to memory of 2008	4108	vucavu.exe	104
PID 4108 wrote to memory of 2008	4108	vucavu.exe	104
PID 4108 wrote to memory of 2008	4108	vucavu.exe	104

C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
"C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\evehp.exe
  "C:\Users\Admin\AppData\Local\Temp\evehp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\vucavu.exe
    "C:\Users\Admin\AppData\Local\Temp\vucavu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\sijuu.exe
      "C:\Users\Admin\AppData\Local\Temp\sijuu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b89caf3f89bdc3a05fad57fdea44f33b

SHA1
0aee2d5cc1964c55063a72cafc6a9d64181de147

SHA256
559258294d38efd66a0db2609d230cc18252488cc852beeb269dcfa7054b761b

SHA512
f37f326a371a2e3093ec7d3a70fb04ba1c4fa070ba2308bd2eb35ec8e2589ea362f05a8f1b31bf16ea3e446c77d7acecfdbc22c4b8e27c5ae3d1712380eeb001

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f2ae8246f3927151f352e04b2e3a603f

SHA1
68b53101d1b8bb79de11eaf3d1926f1d1d25e91b

SHA256
254dc6af7bef48c10c54b6885317e242b65967c2ccffbe6503d5eeaf7caeab65

SHA512
18e5e3f9f1115fe4c1e99453a8a6d9489dd6c42f3c9b09cea599be3cfcc3ab28dd21e4e60af658424ef093a549211d2ad6c1e5ae1809875267cd2f974587e67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evehp.exe

Filesize
348KB

MD5
f9614d5c58e6e4ff20bcd56535a0cd90

SHA1
acc3b133cd2a5d049ada181b0a33d61a1965fcb2

SHA256
c6fbb334cd76bc0d80973d2cee8e6eaeeb876547b7eabe58fe5402112d003cc6

SHA512
32fbbd36b0796289da42a10eaa8fb18cff0c8e58a0de62f7f0d8c807c24f1f6caf8fab67344f53741fe5cee79302c34f4e54131f0ddd52b706cd66f1eebb8ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c4a30d3ea28ba5d5e5458f08be2e6d8d

SHA1
a903797008924b3c708d04ae02f7577a76db4b32

SHA256
d0ae973598e09b297e79f9fcebc367c8b0e552619bcf24b9903b85cc8a2d335b

SHA512
bb66a193c0d2dbb60b70af8bb48eec1e65e349166b955ba8264c6bba15269b4fe6ef586a407fdd06364c528e0c4c724a6a0e557ab567faeb2b4d6275fb2a71f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sijuu.exe

Filesize
115KB

MD5
fdd129656f09dedb15222c455d30dd5e

SHA1
a39bebf3613dc3c87f0e804ff0f2f13f3d3673dd

SHA256
411d67e74be3c4cb569099ba21fb0f689298c9f892364a31b27cfc41db4356c0

SHA512
cf5d301d1f2ea27a7baf972cb2c69a9b6ed37f0a467cfe43c46a2b1b2bd33fa65249c538ea3e81d2afd8b47fc4202d94a4bf757ce9551b56b40194280db93bdd

Download Submit
memory/3660-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3736-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3736-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4108-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4108-39-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4436-38-0x00000000006B0000-0x0000000000732000-memory.dmp

Filesize
520KB

Download
memory/4436-41-0x00000000006B0000-0x0000000000732000-memory.dmp

Filesize
520KB

Download
memory/4436-42-0x00000000006B0000-0x0000000000732000-memory.dmp

Filesize
520KB

Download
memory/4436-43-0x00000000006B0000-0x0000000000732000-memory.dmp

Filesize
520KB

Download
memory/4436-44-0x00000000006B0000-0x0000000000732000-memory.dmp

Filesize
520KB

Download
memory/4436-45-0x00000000006B0000-0x0000000000732000-memory.dmp

Filesize
520KB

Download
memory/4436-46-0x00000000006B0000-0x0000000000732000-memory.dmp

Filesize
520KB

Download