urelas | ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Size

335KB
MD5

a382b347737bdb4bd2bf3ac26c34ba03
SHA1

0ba6c6f58880260c32eb733350f7634eb245890c
SHA256

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc
SHA512

390d29133ae5d769573875024024140790154290d0db373ca0181129886c332627f98e574d44500ba768848882b9fe90e7cc8732f448b9574ae642852dffe6b2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV9MC:vHW138/iXWlK885rKlGSekcj66ciE9MC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	meqee.exe

Executes dropped EXE 2 IoCs

pid	Process
2392	meqee.exe
756	sucuj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sucuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	meqee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe
756	sucuj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 2392	4004	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	82
PID 4004 wrote to memory of 2392	4004	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	82
PID 4004 wrote to memory of 2392	4004	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	82
PID 4004 wrote to memory of 1760	4004	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	83
PID 4004 wrote to memory of 1760	4004	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	83
PID 4004 wrote to memory of 1760	4004	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	83
PID 2392 wrote to memory of 756	2392	meqee.exe	94
PID 2392 wrote to memory of 756	2392	meqee.exe	94
PID 2392 wrote to memory of 756	2392	meqee.exe	94

C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
"C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\meqee.exe
  "C:\Users\Admin\AppData\Local\Temp\meqee.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\sucuj.exe
    "C:\Users\Admin\AppData\Local\Temp\sucuj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2327ead2b68b0439df68905a99174378

SHA1
04ebca76b854ae1a856e304d4ec9486322779513

SHA256
7fe90d95840f59e20765937b8c0f56231ec0e3582bf3c4e53fff1ff527b6f3d7

SHA512
2e9f26a14e31b968995305e6464afe2625679b99e3aeb28dd1b218a2630e78b9c9e6ab32bd597a17ad55cda4cd24701e2c3a7ccbf48cd0b26fe4e75c439ce6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3f7b06c223294f28ecc530f9d8ed7acd

SHA1
e832949bb0ee36e711bca9e72dc527770fff440c

SHA256
2e7f2a6311a4e26094c7ac6a2b40e8f483e9e8d63d7a6cb11e0839a1fb6ad35f

SHA512
d5f037a1db31edc93736bf57278dec610d02602e90b488b637cc707c191e7fa9a4f0c5124a95aa16c02c1cc46d83229b18fa93d400aea1ad48c03a3f1818405a

Download Submit
C:\Users\Admin\AppData\Local\Temp\meqee.exe

Filesize
335KB

MD5
baa6b0333c33e6b88b1b21dd647a30b3

SHA1
dea6464067e96065af96f9d8ae5e6d01d7b5285a

SHA256
dd9715200198fcf395e5837f94af98022eaa95454f9b9937b6a95278c65ddd36

SHA512
56a4f66c8ef3006d7aca055c919d8528a52befceff85ceda161365c9e9830fc9f28dbb65b22284ba1f81d4b2c47982b1da95b379adb63cb99befbdb82ad4d97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sucuj.exe

Filesize
172KB

MD5
c48d6a98651a0957c730d58176c53fa7

SHA1
1049c620158c9dc59d38ae71670acab39062b31d

SHA256
dd95957774950d59e0b3abbd9e379b05e1530b0f5e6c0c84ca1e87431da72885

SHA512
b1a03dca7f22b7b4fa029ac1f95cee9e2d25653669536a9fcd3adeb6ba59dbe100a14f5228f225c6e36c81210eaffc36e66fa1e2c87bc1930d11c460f3daced8

Download Submit
memory/756-44-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/756-45-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/756-49-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/756-48-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/756-47-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/756-46-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/756-39-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/756-38-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/756-40-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/2392-37-0x0000000000F50000-0x0000000000FD1000-memory.dmp

Filesize
516KB

Download
memory/2392-19-0x0000000000F50000-0x0000000000FD1000-memory.dmp

Filesize
516KB

Download
memory/2392-12-0x0000000000F50000-0x0000000000FD1000-memory.dmp

Filesize
516KB

Download
memory/2392-14-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/4004-16-0x0000000000FA0000-0x0000000001021000-memory.dmp

Filesize
516KB

Download
memory/4004-0-0x0000000000FA0000-0x0000000001021000-memory.dmp

Filesize
516KB

Download
memory/4004-1-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download