urelas | 0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe
Size

323KB
MD5

e6520cda3302a4a8df9e1f143e734a91
SHA1

3db20c8a148e73bc82627fbd2d6f0c1614503c31
SHA256

0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2
SHA512

5a7cc1722dff2e8ab3dcfeaf55f49f569463a9d7dd8b684a03c69a586192db6dfcceb39ab77c3053f673a83c790a79c8472fc2c063bbd05dbf5c35c27d644dc1
SSDEEP

6144:cEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSx09:cEo/6YnZVB1rkAqcNAzQCed7J1oSG

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	byobw.exe

Executes dropped EXE 2 IoCs

pid	Process
1684	byobw.exe
1636	seris.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2640-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-6.dat	upx
behavioral2/memory/2640-13-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1684-16-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1684-36-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byobw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seris.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe
1636	seris.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 1684	2640	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe	82
PID 2640 wrote to memory of 1684	2640	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe	82
PID 2640 wrote to memory of 1684	2640	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe	82
PID 2640 wrote to memory of 1456	2640	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe	83
PID 2640 wrote to memory of 1456	2640	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe	83
PID 2640 wrote to memory of 1456	2640	0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe	83
PID 1684 wrote to memory of 1636	1684	byobw.exe	94
PID 1684 wrote to memory of 1636	1684	byobw.exe	94
PID 1684 wrote to memory of 1636	1684	byobw.exe	94

C:\Users\Admin\AppData\Local\Temp\0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe
"C:\Users\Admin\AppData\Local\Temp\0f83750854c1d9e4d4b2d2c987f59b752fa22895bf4d0c2a775e9792759b90e2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\byobw.exe
  "C:\Users\Admin\AppData\Local\Temp\byobw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\seris.exe
    "C:\Users\Admin\AppData\Local\Temp\seris.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c2d774e7579bf1c3fe84a63e3b795e80

SHA1
c42d7f986ea40c6dd8d8571e2c0b3652ae174ec8

SHA256
691ff54da1ba78f4db2a18db2f4f6e9cffb8a098e2075438cc22d4fc92df61d5

SHA512
d566242422bb1701d9477d2125f7f40fdbb0d5b96a848b8b21a321243c10b0533e36737e1979c6b62aee60c107614ec4f609c3fc6bce1ce388b82e2c91e23a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\byobw.exe

Filesize
323KB

MD5
1e221a8fdc173d8eaf1acf3176ac4615

SHA1
b888e8fb6631994d10ef25ae0e22cc0817c2f939

SHA256
85bb8d5e19fd8f4885306b3e3cca66b7d7781b760b3bccb01d6fc93e25e7fb72

SHA512
6d608b3b5adfb81a4638f770e88a8f7a42e1efb6ddef03347aa34e5ab587b20e1c873a43b98f5eb3d4bc12fe693f14dbbba8f362aaba546530eecd93438a4d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7b75df49bc2363d71e95dec6ee83e2fc

SHA1
ccd15d31f221a9e8933283ad5cb7b275c72b2dc3

SHA256
3500e43e861ffa67d510a3bae614fd08caf5936985c1247d5700f0de632d064c

SHA512
db73d48855fcb06ccb8efccee89b2d4a7abf50cfd27390093eea5dcd1189796c0adb436c356c9dc68fbbb43c386f63f89c3916a039939236238f717df8db75dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\seris.exe

Filesize
241KB

MD5
6c541f810f1b07cf15282242869e6d8f

SHA1
e2fc4f2eb9f13f8c397182f9ddd8067286c7c316

SHA256
1274a04ce683cfd94c24b61c176a5b0c235d692fac724d175b3f0ebd49db6b57

SHA512
6e4023fbc7eb56a2e6d6ca86a0faf1a0ca7a525754e944a32e60c9fbd6ed75a3754ac34980c4218c14621106e43be2d68e3726db7cbe5d0ae06fdb4f431d12af

Download Submit
memory/1636-34-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1636-33-0x0000000000180000-0x0000000000236000-memory.dmp

Filesize
728KB

Download
memory/1636-38-0x0000000000180000-0x0000000000236000-memory.dmp

Filesize
728KB

Download
memory/1636-39-0x0000000000180000-0x0000000000236000-memory.dmp

Filesize
728KB

Download
memory/1636-40-0x0000000000180000-0x0000000000236000-memory.dmp

Filesize
728KB

Download
memory/1636-41-0x0000000000180000-0x0000000000236000-memory.dmp

Filesize
728KB

Download
memory/1636-42-0x0000000000180000-0x0000000000236000-memory.dmp

Filesize
728KB

Download
memory/1684-16-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1684-36-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2640-13-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2640-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download