urelas | a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Size

271KB
MD5

8dcf36dbac7541e903b39079c481783f
SHA1

4da3e2ba8433500f27405fa79d4c55a7331d4506
SHA256

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558
SHA512

7ee072cf3b38e8322584516e0909b4cc534f5ab6bcee68c364230b0dd7cbf586c83c319089f393936f5af0860f2e35e3b43f41c6e2709c31228896ab38fc2ec4
SSDEEP

6144:SPdhP7Vq2S8GYlH9LKeu5exdoW7KkYGuH6lY:uhPjSCKeu0oEYGTW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fulol.exe

Executes dropped EXE 2 IoCs

pid	Process
4532	fulol.exe
2304	numyf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fulol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	numyf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe
2304	numyf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 4532	2648	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	83
PID 2648 wrote to memory of 4532	2648	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	83
PID 2648 wrote to memory of 4532	2648	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	83
PID 2648 wrote to memory of 1108	2648	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	84
PID 2648 wrote to memory of 1108	2648	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	84
PID 2648 wrote to memory of 1108	2648	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	84
PID 4532 wrote to memory of 2304	4532	fulol.exe	102
PID 4532 wrote to memory of 2304	4532	fulol.exe	102
PID 4532 wrote to memory of 2304	4532	fulol.exe	102

C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
"C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\fulol.exe
  "C:\Users\Admin\AppData\Local\Temp\fulol.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\numyf.exe
    "C:\Users\Admin\AppData\Local\Temp\numyf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
708d4cab483a659dedbb37738fb4ea21

SHA1
dba1910f9df879daf0939d0bcf18ff430c8020af

SHA256
a918b58f9417c9b57405dc592be62246050dc940b8ddd8861510844b1f6a3d07

SHA512
6832aba9774eb549d59a9055888d403d1c15a2c9b6ab989f7040bc2e599732fc17f20f9b0481ad91ef612cebf64f45902a8352a4b3a7309bbe9565eac3ce1c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fulol.exe

Filesize
271KB

MD5
9fe51066b2a6e2c2e73720fafc29b59a

SHA1
62b4c575fb7e39807edfe8774e4af7beb3b5d1b9

SHA256
249ebb071ece795c73bd5e255d96d444a2ac64a24865c1a8b1e086adfa17cd8b

SHA512
dc896cbbdb14fc6918de88e8e93153d6c427f8147afa1a75358b43cd74e0015470186d2e934c3e71e7aca1b36784de7d3babb2f110c03d86650d2230ecd48585

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1284493edc1a8eb28798cab1b32d47a7

SHA1
84a86fa80d3eec0227e5a834c90af827274f8b6a

SHA256
e919116fbdfe83e04bf3c8bebbae5a7b1e77f712dd58a0b11628f4d1a2bbf3ab

SHA512
0a63d9ffc4dbd8d4cdca9aa662f4c77cc2c5310100151fe7b993edfcfdb6e9e153089bdae7748a1884d0062872d14adb06cc2231a99f7cfb784c65aebd273294

Download Submit
C:\Users\Admin\AppData\Local\Temp\numyf.exe

Filesize
291KB

MD5
1201b3b5f3057dceba33988ba0e7bcf8

SHA1
ba0a8d06e0c7138acf809186daae7af55e51053b

SHA256
f95e4c20fd472ab6904e4a876ae80491405d41b16054a396bb48231fe7c41e5a

SHA512
ff297be9d65093c623fba2b040e425fcd595fb2fc0cf2cc7ec2966285e6e280ee77848fcba826881d99a0571fa5584598eb1b4db48faa5f9515ca036cefc0175

Download Submit
memory/2648-0-0x0000000000380000-0x00000000003EE000-memory.dmp

Filesize
440KB

Download
memory/2648-1-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/2648-17-0x0000000000380000-0x00000000003EE000-memory.dmp

Filesize
440KB

Download
memory/4532-14-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/4532-13-0x0000000000D90000-0x0000000000DFE000-memory.dmp

Filesize
440KB

Download
memory/4532-20-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/4532-21-0x0000000000D90000-0x0000000000DFE000-memory.dmp

Filesize
440KB

Download
memory/4532-38-0x0000000000D90000-0x0000000000DFE000-memory.dmp

Filesize
440KB

Download