urelas | d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Size

441KB
MD5

d1da72031f75e672f7186b06ba18db55
SHA1

7ae4e7a6ccaa68732aad13cf6e5a3c65bdae789b
SHA256

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166
SHA512

a7477fa8383cca7cb1e55d5951ee95c8edbaaa1958ac7185f008db68af1920b8c51aed7be33747f6a05683bd7f22015e20dd8671ed9789de1ae9fbe934a5dd20
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPz:8Hn6/8NOy+CDQcciQpeoPz

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	tideq.exe

Executes dropped EXE 2 IoCs

pid	Process
2244	tideq.exe
3724	fuagj.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000705-33.dat	upx
behavioral2/memory/3724-39-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3724-41-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3724-42-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3724-43-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3724-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3724-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3724-46-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tideq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuagj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe
3724	fuagj.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: SeIncBasePriorityPrivilege	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: 33	2244	tideq.exe
Token: SeIncBasePriorityPrivilege	2244	tideq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2244	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	82
PID 2096 wrote to memory of 2244	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	82
PID 2096 wrote to memory of 2244	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	82
PID 2096 wrote to memory of 4144	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	83
PID 2096 wrote to memory of 4144	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	83
PID 2096 wrote to memory of 4144	2096	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	83
PID 2244 wrote to memory of 3724	2244	tideq.exe	94
PID 2244 wrote to memory of 3724	2244	tideq.exe	94
PID 2244 wrote to memory of 3724	2244	tideq.exe	94

C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
"C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\tideq.exe
  "C:\Users\Admin\AppData\Local\Temp\tideq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\fuagj.exe
    "C:\Users\Admin\AppData\Local\Temp\fuagj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
316a8e3d57c7016014f9447eaf8257b2

SHA1
2dd24c4ada0c35dfbfdae4eddfc868da3cdb2b96

SHA256
c42e345d73f9601b0824e3d301c1bdb80916f2e4c449fb332e1a34d99434f981

SHA512
3f29c0db5d8fc4e5831f26a94265cf42096f7c5a6133d386b86bf7a56261ad6df4764483965d8f48cb49ed73b1cdfc08716c68bc7443e09972a76956062095a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuagj.exe

Filesize
198KB

MD5
ddd0975311fc0c3aff6c61692a7aa1ba

SHA1
d4153522c7d1bf9417b26c7f57a00ea539887539

SHA256
0521a0b420421f12e09301e7332ab84a09f818c75575741d2c789abdbab79165

SHA512
a13351e421f84a10978837b60ba3e1220bf0972a9e8b7ec978495956efb707204adb9f4377e8421f87ae6079adf2355cd157d14bb2d1819496929d80391ff94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d7df750a5c47e6030878ffd63b8e86b0

SHA1
7c836f52a1e61198c13422cc3e483de3ba6591f1

SHA256
0476503e4d9de0a11feefbc76ce35ce76c936e9a8fb6824a133dc6d281d14ed9

SHA512
d2aa9d32e6010c7d5119d58b917d496db39dc14b0c5d6f06f1130b91ff7365ccfe33c1688728d5c487541751e3576bf321af95e60e91ea59f40a6eb5212f7eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tideq.exe

Filesize
441KB

MD5
0aeb052451f92b205c878d36e0a1e21f

SHA1
61a57b7e823583f4778d8c22a344248b6575aab5

SHA256
f285d88ed3d0b14f6d5e0b161b3ddbe61520c06c9d985b3e402924418f1948a0

SHA512
082f152bcb8bfcaa780fd9fbc046daa1bce86817a7b8bed91d63dff094ec666c55ab4d0689a1cd63cf81ab2f15f9b8b629e4a54ca785062b49bf4f77d19703ab

Download Submit
memory/2096-1-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2096-17-0x0000000000C60000-0x0000000000CDC000-memory.dmp

Filesize
496KB

Download
memory/2096-0-0x0000000000C60000-0x0000000000CDC000-memory.dmp

Filesize
496KB

Download
memory/2244-20-0x0000000000780000-0x00000000007FC000-memory.dmp

Filesize
496KB

Download
memory/2244-14-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2244-11-0x0000000000780000-0x00000000007FC000-memory.dmp

Filesize
496KB

Download
memory/2244-38-0x0000000000780000-0x00000000007FC000-memory.dmp

Filesize
496KB

Download
memory/3724-39-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3724-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3724-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3724-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3724-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3724-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3724-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download