urelas | d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Size

441KB
MD5

d1da72031f75e672f7186b06ba18db55
SHA1

7ae4e7a6ccaa68732aad13cf6e5a3c65bdae789b
SHA256

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166
SHA512

a7477fa8383cca7cb1e55d5951ee95c8edbaaa1958ac7185f008db68af1920b8c51aed7be33747f6a05683bd7f22015e20dd8671ed9789de1ae9fbe934a5dd20
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPz:8Hn6/8NOy+CDQcciQpeoPz

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	jeabv.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	jeabv.exe
1260	koojf.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000705-33.dat	upx
behavioral2/memory/1260-37-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1260-41-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1260-42-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1260-43-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1260-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1260-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1260-46-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeabv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koojf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe
1260	koojf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: SeIncBasePriorityPrivilege	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: 33	1268	jeabv.exe
Token: SeIncBasePriorityPrivilege	1268	jeabv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1268	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	83
PID 2676 wrote to memory of 1268	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	83
PID 2676 wrote to memory of 1268	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	83
PID 2676 wrote to memory of 4884	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	84
PID 2676 wrote to memory of 4884	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	84
PID 2676 wrote to memory of 4884	2676	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	84
PID 1268 wrote to memory of 1260	1268	jeabv.exe	104
PID 1268 wrote to memory of 1260	1268	jeabv.exe	104
PID 1268 wrote to memory of 1260	1268	jeabv.exe	104

C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
"C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\jeabv.exe
  "C:\Users\Admin\AppData\Local\Temp\jeabv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\koojf.exe
    "C:\Users\Admin\AppData\Local\Temp\koojf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
316a8e3d57c7016014f9447eaf8257b2

SHA1
2dd24c4ada0c35dfbfdae4eddfc868da3cdb2b96

SHA256
c42e345d73f9601b0824e3d301c1bdb80916f2e4c449fb332e1a34d99434f981

SHA512
3f29c0db5d8fc4e5831f26a94265cf42096f7c5a6133d386b86bf7a56261ad6df4764483965d8f48cb49ed73b1cdfc08716c68bc7443e09972a76956062095a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2db8a4d60086277ac357fdbdeeabba60

SHA1
5d99cf4fd42fd5c92216444a4e322c0a0a97892b

SHA256
c9e20d5339162152821614ce0f39c9ab0ff75631abd326b6c63af96b8cb3cdc3

SHA512
474123dc76f51a8fabcc3be75e704dcc62f1511bed06787c738c331e11b1e8d1b8deb67698e216d60e3ca2e27638de460a35f693a0ca8d5971625c65a3f90b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeabv.exe

Filesize
441KB

MD5
52e995687c5cbd681ae7976169b8bda3

SHA1
4677a29f7e3108585da40cf690135cdd0a2e7a49

SHA256
442157d2687510c22108e53ddcf0166fe73fb5f01841bcdeaff40ed815cf9557

SHA512
ab1d89345a57ac801568755cd2c275f87c9ad702a4b06770f22ff4f398971aea4ee5ae5ee16440c8e22c2e187dacdddd2a71aa2bf2acdb1036b5d36ac0793020

Download Submit
C:\Users\Admin\AppData\Local\Temp\koojf.exe

Filesize
198KB

MD5
afd9432c441d0563847cedd0c0ad737b

SHA1
2d9551ad0d12c9ac94d08397237dcd52bc458f9f

SHA256
ca9393b8e0b96bd2969b03fb19df85ed91038e1b6a0696f95bcc08c9fd88f158

SHA512
090410a1bc75a2c6d1fe716c28c0d1bc2bfc570627078318fcedf4724910cf5f481fe8eb5af6d229857fdb517b333594b47de1e8e884786c4e9ec343bf28cc1d

Download Submit
memory/1260-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1260-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1260-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1260-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1260-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1260-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1260-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1268-17-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1268-39-0x00000000006C0000-0x000000000073C000-memory.dmp

Filesize
496KB

Download
memory/1268-20-0x00000000006C0000-0x000000000073C000-memory.dmp

Filesize
496KB

Download
memory/1268-11-0x00000000006C0000-0x000000000073C000-memory.dmp

Filesize
496KB

Download
memory/2676-16-0x00000000009A0000-0x0000000000A1C000-memory.dmp

Filesize
496KB

Download
memory/2676-0-0x00000000009A0000-0x0000000000A1C000-memory.dmp

Filesize
496KB

Download
memory/2676-1-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download