urelas | 054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
Size

506KB
MD5

abebef90eeaca5e12766b4b318c379a2
SHA1

614d5dbf8251213c64072690449fb18b91e2cf52
SHA256

054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522
SHA512

da2da22f747c00f0e6d6c2cb9f604576455ae7c6be72010b51d8400d2702a05eb08f1499f0231c6ea0d557b54557bd8178e948abd381a162219d0dc30c65d1f3
SSDEEP

12288:ndBNKTCqqwXCcdgT89+MvA+BisqYpxHtp:nLjQC+fs0j

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	luovt.exe

Executes dropped EXE 2 IoCs

pid	Process
2416	luovt.exe
4472	lelyy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lelyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luovt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe
4472	lelyy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2416	4368	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	84
PID 4368 wrote to memory of 2416	4368	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	84
PID 4368 wrote to memory of 2416	4368	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	84
PID 4368 wrote to memory of 964	4368	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	86
PID 4368 wrote to memory of 964	4368	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	86
PID 4368 wrote to memory of 964	4368	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	86
PID 2416 wrote to memory of 4472	2416	luovt.exe	106
PID 2416 wrote to memory of 4472	2416	luovt.exe	106
PID 2416 wrote to memory of 4472	2416	luovt.exe	106

C:\Users\Admin\AppData\Local\Temp\054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
"C:\Users\Admin\AppData\Local\Temp\054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\luovt.exe
  "C:\Users\Admin\AppData\Local\Temp\luovt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\lelyy.exe
    "C:\Users\Admin\AppData\Local\Temp\lelyy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3ed292fae746cd695b4bc6f47cb20942

SHA1
b8cb83ddfa3678cafb559ca3acec62ec9edcb763

SHA256
d6afa59f628fbed274d3df486bf09db1b24332800f823336b2d505299878b607

SHA512
08122b34d6002c73e01a0ebe7030d1a7f90b11c1cfb3f9711e61413f32819a4ea6aed5debbae6643764c5f3fadae329261a912b954e88965d9ec1725a665387b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3d02ba4b8ce81c0017cdc5007f849684

SHA1
0be38da5c3fbab1e540a37ffbd90d3871e43c96a

SHA256
7e6c4c727ebcd4a9e8b5ee6c25f01804de97000ef31ce1c1bf583177a76f75f5

SHA512
3e81820ec53ef5dcf4138ee604a909fd8c150c03aa4e4456992b57ca7585e937acc4a1b61bb0eb63b74f918589002e19aad1fc3a6d06a6c65889881b6d1e487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lelyy.exe

Filesize
241KB

MD5
ea7e6d485c0a4afe58773c50e08f8e85

SHA1
f2cd226460692d6d5514019e730c66f7cf38d433

SHA256
f1b5584d453b345372cf52ba5195579dcc130a4c466131854ce25865fafaec10

SHA512
32a5bcd1cc33d3ecf520e53a74038b861541096a4361adb8d3d8131d2d3988fd99d0bea8f9be1b03d0dfdbd5e15042e3f427724bf881ebd030aca73edf711485

Download Submit
C:\Users\Admin\AppData\Local\Temp\luovt.exe

Filesize
506KB

MD5
adaea7f9b0181e4865418fede5d50971

SHA1
c2bc8601d7423deca075d8e13ffb6279367dd023

SHA256
a0165a1069a2622b2b73a2cc6cc6be7c760c9ca56b3bc8ba4abf0f32167452fb

SHA512
ec57483fcb2bdccd51b314f18d5880e737ecf741898028bc24401bef3af7c7b02b14e837a28a819efac85f27bfa9bbdd5a2cfc36f09d5848809c5c2b0058f819

Download Submit
memory/2416-11-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4368-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4472-24-0x00000000006C0000-0x0000000000776000-memory.dmp

Filesize
728KB

Download
memory/4472-25-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4472-28-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4472-27-0x00000000006C0000-0x0000000000776000-memory.dmp

Filesize
728KB

Download
memory/4472-29-0x00000000006C0000-0x0000000000776000-memory.dmp

Filesize
728KB

Download
memory/4472-30-0x00000000006C0000-0x0000000000776000-memory.dmp

Filesize
728KB

Download
memory/4472-31-0x00000000006C0000-0x0000000000776000-memory.dmp

Filesize
728KB

Download
memory/4472-32-0x00000000006C0000-0x0000000000776000-memory.dmp

Filesize
728KB

Download