urelas | da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
Size

514KB
MD5

91b0994aae31d7a21d910f3022501e9d
SHA1

53cc2876b04a7e80ef64f7c2cb8f28b4de652176
SHA256

da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f
SHA512

57aa2a357a9483bed17eb5bda655fd9cec4f592a649867e1aea4d89b9e723ed4be2d0219c2750317454fc098ccb310b2e42ffec3bd19c2e17a121a90e50caa72
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo1:3MUv2LAv9AQ1p4dKI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	hoxip.exe

Executes dropped EXE 2 IoCs

pid	Process
5008	hoxip.exe
320	dobuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hoxip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dobuk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe
320	dobuk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 5008	3016	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	83
PID 3016 wrote to memory of 5008	3016	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	83
PID 3016 wrote to memory of 5008	3016	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	83
PID 3016 wrote to memory of 3024	3016	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	84
PID 3016 wrote to memory of 3024	3016	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	84
PID 3016 wrote to memory of 3024	3016	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	84
PID 5008 wrote to memory of 320	5008	hoxip.exe	104
PID 5008 wrote to memory of 320	5008	hoxip.exe	104
PID 5008 wrote to memory of 320	5008	hoxip.exe	104

C:\Users\Admin\AppData\Local\Temp\da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
"C:\Users\Admin\AppData\Local\Temp\da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\hoxip.exe
  "C:\Users\Admin\AppData\Local\Temp\hoxip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\dobuk.exe
    "C:\Users\Admin\AppData\Local\Temp\dobuk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
35817d34375f348ae1f9b91d661b2ffe

SHA1
feabcd3b81cd5ad05fab936a28ba487b61566ba5

SHA256
3549519a27d8c0675de160580f4c34114920ecadefe039d0b7043bf0517b5646

SHA512
962fbf205d3af9b760189edb85bc3fc23ec7c0c64d3ee60497bb1df7dc65d78f186acd1e42a388311c05900f4ab25203f251f14349193e2c3a43ba17d40d83bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dobuk.exe

Filesize
172KB

MD5
24052b045c34c7561d19a42ac2475c98

SHA1
d83e97e58d8a94bf348304377b18ccf17aa958cf

SHA256
46352efc90f1608ff5511a7721c92137703e93cbc06b1cbaee41b1c79d4662bf

SHA512
e4bfe7342e3cfdc9d367083fc61d22589ce69e94873033c5d55acd57bb326c6310991edf405e9e325702a164fc5755e411e1cc45918baedc75532820b4b5024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
feae456e528c6b16a7d75cd0bcc096af

SHA1
fa8bb10bfdb38bfe1bf0e4e6e8a6c9c9241b9c31

SHA256
50ce361daf5c1f04ca5807e25ef9896cdf2108b4e8bc22547a80ac827c03bbbc

SHA512
87f7ec41301c2cf45e602fc856b7a0d089f8b99aa845fe62fe97cd0940f7b03343b34333287b38deb109843b8e32c83d3518c9eea7cb09a85fa186de93b17191

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoxip.exe

Filesize
514KB

MD5
a8d6748adf76c4e3c066fdff985cb3c3

SHA1
92189e53edd37a46d850c1dfbf90e03a4d9bdb55

SHA256
d4ebd8665d2957247a8337d1ab3389fb772ee53882e065367f59b4eb34a6aef0

SHA512
f38fdd5c962b1caf97310cb7a0e7350b3d871dcce1b614ed74f330da1dcac719144a092fb6c2ad0b5fc57c86d27c2b7a85962932535c0fadd210602253092b6d

Download Submit
memory/320-34-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/320-35-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/320-38-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/320-37-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/320-36-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/320-26-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/320-29-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/320-28-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/320-33-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3016-0-0x00000000000E0000-0x0000000000161000-memory.dmp

Filesize
516KB

Download
memory/3016-14-0x00000000000E0000-0x0000000000161000-memory.dmp

Filesize
516KB

Download
memory/5008-27-0x0000000000ED0000-0x0000000000F51000-memory.dmp

Filesize
516KB

Download
memory/5008-10-0x0000000000ED0000-0x0000000000F51000-memory.dmp

Filesize
516KB

Download
memory/5008-17-0x0000000000ED0000-0x0000000000F51000-memory.dmp

Filesize
516KB

Download