urelas | 4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe
Size

336KB
MD5

362cea37b4515362a69bbdbf1114b700
SHA1

eea2d6bcf28637859873bb040eb63ca183aff830
SHA256

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3
SHA512

e0a76b767f46ced49414b3ee0d9fb3faa746be5a0133bc06a474d7c5600b769390c1250f2605f514e993794f74ec71a6b7bc9808b48733d116c87576ab4d0ac7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRA:vHW138/iXWlK885rKlGSekcj66ci2m

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	hefuf.exe

Executes dropped EXE 2 IoCs

pid	Process
4308	hefuf.exe
1476	jynes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hefuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jynes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe
1476	jynes.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4308	748	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	82
PID 748 wrote to memory of 4308	748	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	82
PID 748 wrote to memory of 4308	748	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	82
PID 748 wrote to memory of 5092	748	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	83
PID 748 wrote to memory of 5092	748	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	83
PID 748 wrote to memory of 5092	748	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	83
PID 4308 wrote to memory of 1476	4308	hefuf.exe	94
PID 4308 wrote to memory of 1476	4308	hefuf.exe	94
PID 4308 wrote to memory of 1476	4308	hefuf.exe	94

C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe
"C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\hefuf.exe
  "C:\Users\Admin\AppData\Local\Temp\hefuf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\jynes.exe
    "C:\Users\Admin\AppData\Local\Temp\jynes.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
476212ace4b11e6545bf385d85d0b5f5

SHA1
801785d558f766f8e6b5646bf15ffe9f4ebc7e42

SHA256
d7b50bf22f81a6c1cae7d766345a68bcb0ba8a85bd943beaf7300077a0e038ca

SHA512
6ceee9e2aebc9cdc18328c5846060a823e58c6efff378bc84083f2e25569bdc5de5851833c95a51f09e854dfe51aadb356cdcf0457230987125adff322b5c01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d496d03aabe330076e1d9929cba54297

SHA1
2d135c8115e53c8dc5dd2cde6367f39e561a2505

SHA256
64ac4844e1d1a5ad9d5a4101e9e6a2a3b79ca9f984e56fe7e2169dbe00c5171f

SHA512
23f4ba9d0bc0dd4d2197c8745d863e7eef8bbc31a1d92ad3eebc3657e46d03269eee329bb86f08c69161d1d5ea864e0424c37092fdf75011018b8b72568333e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hefuf.exe

Filesize
336KB

MD5
d9c34b22fc4241256d4c621ab02d1b1d

SHA1
19100b4ece5e09382fd357ea6f9627e8cdb79bde

SHA256
264c2f562ed63a28a29fc13875abb84d7fc920bc6aca7ce015609e849c0b262e

SHA512
f10cd571db23f8efae820917945e53427ea7adc616e3fa93fa0410d8ee1bf91cdcb1f4d01dcc77f69fce285a349474258b7156d3d4e82613d4e0403fe06c24b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jynes.exe

Filesize
172KB

MD5
4f63a48f947ca504d147ecd09cd1bd65

SHA1
81bfb680ff67e4151966a322e7eedc7662c8ab3b

SHA256
ca1e0dc52ca7df325e0f8ff932c5cf85fc22d2d1f0e9dd184fbfdcfd78d877b4

SHA512
ee4f86309119d264a6d793786fc7db402be1fa99ebc54bfdc74c1fafad88df2ff7418fd41e52536cd1c1e74263f3014903104f048b3477b78e79037810158471

Download Submit
memory/748-1-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/748-0-0x0000000000630000-0x00000000006B1000-memory.dmp

Filesize
516KB

Download
memory/748-17-0x0000000000630000-0x00000000006B1000-memory.dmp

Filesize
516KB

Download
memory/1476-45-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/1476-37-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/1476-38-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/1476-41-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/1476-46-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/1476-47-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/1476-48-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/1476-49-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/1476-50-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/4308-20-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/4308-13-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/4308-40-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/4308-14-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download