urelas | a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 07:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
Size

335KB
MD5

6b666dfa833ec6d0c62fb67a7ae87418
SHA1

e77f30d849a146b729de8854af4585a39367d7e7
SHA256

a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23
SHA512

c24e16a81378194d8c2369019b40d2da28ed72bb58e4cd39e990f4fbc22ab8bb87d3e4372567874d815490043c594c956e3cc2921d987d567bf1b6836ebd844f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66cip

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	agjii.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	agjii.exe
3992	vebyr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vebyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agjii.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe
3992	vebyr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2056	1260	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	82
PID 1260 wrote to memory of 2056	1260	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	82
PID 1260 wrote to memory of 2056	1260	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	82
PID 1260 wrote to memory of 2176	1260	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	83
PID 1260 wrote to memory of 2176	1260	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	83
PID 1260 wrote to memory of 2176	1260	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	83
PID 2056 wrote to memory of 3992	2056	agjii.exe	94
PID 2056 wrote to memory of 3992	2056	agjii.exe	94
PID 2056 wrote to memory of 3992	2056	agjii.exe	94

C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
"C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\agjii.exe
  "C:\Users\Admin\AppData\Local\Temp\agjii.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\vebyr.exe
    "C:\Users\Admin\AppData\Local\Temp\vebyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
685536c0e1272446d2a40581313063da

SHA1
7ad7c85993b9969bb5262960be99ac1b5b35eaa7

SHA256
05edf07daa1cb8ad2f4362f1240218f1759dcc2ff1e8f843d751c46aaf385636

SHA512
6e584327e2aa9d1f6395b015e348f3b97dff9e617a22bcae11be4866b481d9ce32d8adc9306d1529341e631f161e48109ca5569882b4fb82bb5e80ef09dc629c

Download Submit
C:\Users\Admin\AppData\Local\Temp\agjii.exe

Filesize
335KB

MD5
333669c2726a8e00bf09696747bb9e12

SHA1
9a519892d58339cb224872552e850f6331497408

SHA256
7ae49ff58a25a5d589ce4afe21f4d48d5de18620e45d6c3cb0005886ec8f84ae

SHA512
9dce8a24996b7d099512c672fe2477010d92bd693d4c58caf2b77cea3c2e002ec001dc1f2df81a23f3dd1891f4692e8c2474f16d3b7310629b3fe5b7d18b4d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
23c5556d3f5c66e668a12297ce688eac

SHA1
e384ac6768d2aa81d83c15e586be15f8da7e183a

SHA256
a25ee5a371c59eb9be5a143158249d50844e4565eb9cd252834c12187610f1ce

SHA512
b053029f207760b869499f0aa3a69aa8b9a45023347810ad8e39fdb2773265cea9ea45123f75e0e14767767f0f78ec2c9e4fdfe347a55fcb4a5e991850b70a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\vebyr.exe

Filesize
172KB

MD5
694b958b51f822fbd6297d4d83cc4cc1

SHA1
57bb3b95736d027d365440e0d1082aa010d9ecc7

SHA256
80a238db918819de19d46bd3b94e3c7f96db217e5156564a76782e9db5567fde

SHA512
7ae3692b4d0e371a66e820ee02d896556f00b6d4a3298a5435c2e4e56699f20dda2e216987e32ad223840c856c3bbce94527c84dc8dcea25155941ade23f506e

Download Submit
memory/1260-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1260-17-0x00000000001D0000-0x0000000000251000-memory.dmp

Filesize
516KB

Download
memory/1260-0-0x00000000001D0000-0x0000000000251000-memory.dmp

Filesize
516KB

Download
memory/2056-42-0x0000000000930000-0x00000000009B1000-memory.dmp

Filesize
516KB

Download
memory/2056-13-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2056-11-0x0000000000930000-0x00000000009B1000-memory.dmp

Filesize
516KB

Download
memory/2056-20-0x0000000000930000-0x00000000009B1000-memory.dmp

Filesize
516KB

Download
memory/3992-38-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/3992-37-0x00000000009A0000-0x0000000000A39000-memory.dmp

Filesize
612KB

Download
memory/3992-39-0x00000000009A0000-0x0000000000A39000-memory.dmp

Filesize
612KB

Download
memory/3992-45-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/3992-44-0x00000000009A0000-0x0000000000A39000-memory.dmp

Filesize
612KB

Download
memory/3992-46-0x00000000009A0000-0x0000000000A39000-memory.dmp

Filesize
612KB

Download
memory/3992-47-0x00000000009A0000-0x0000000000A39000-memory.dmp

Filesize
612KB

Download
memory/3992-48-0x00000000009A0000-0x0000000000A39000-memory.dmp

Filesize
612KB

Download
memory/3992-49-0x00000000009A0000-0x0000000000A39000-memory.dmp

Filesize
612KB

Download