urelas | 7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe
Size

336KB
MD5

7ec7de4e9a57cb8de75c702a35e702c6
SHA1

634f1f6c6db3418043a31b99f935e5443f3cef2d
SHA256

7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d
SHA512

386b747b5cbe93e99a2aeefff6bb47496d771da1c9998872ebbcf243cb9ffd604051860f2426d866f461af243fc2cd74c57a37b512307a800c1f5e121df0517a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoZ:vHW138/iXWlK885rKlGSekcj66ciU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	jumus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe

Executes dropped EXE 2 IoCs

pid	Process
2136	jumus.exe
2792	fytyq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jumus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fytyq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe
2792	fytyq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 2136	4400	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	82
PID 4400 wrote to memory of 2136	4400	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	82
PID 4400 wrote to memory of 2136	4400	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	82
PID 4400 wrote to memory of 2428	4400	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	83
PID 4400 wrote to memory of 2428	4400	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	83
PID 4400 wrote to memory of 2428	4400	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	83
PID 2136 wrote to memory of 2792	2136	jumus.exe	94
PID 2136 wrote to memory of 2792	2136	jumus.exe	94
PID 2136 wrote to memory of 2792	2136	jumus.exe	94

C:\Users\Admin\AppData\Local\Temp\7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe
"C:\Users\Admin\AppData\Local\Temp\7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\jumus.exe
  "C:\Users\Admin\AppData\Local\Temp\jumus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\fytyq.exe
    "C:\Users\Admin\AppData\Local\Temp\fytyq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
76b21c83e369dfef0ab0116626e485ab

SHA1
f116adf90458be7049152f11cf92aa70247f9103

SHA256
9ac2aaac2b1d662c0053c29e325149c94ba14a2fb6d9eccc6425e58aa47e4aea

SHA512
07de4f68cf5e12fbe5e74d18bc3668b5a91afe073846592308353e1a2b7c464055c896aa366ece0bf0097dbceea3c5ec2f21f56a9b25ab47337f912fb1a0f7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fytyq.exe

Filesize
172KB

MD5
59fb23441574dd50fec42c5b6671ced5

SHA1
fc7f8e81b161aca6c6832ff401327a46460fd535

SHA256
a62182b9b463036a8e1819bad2d96bdc766006f7ae1fdffca5f2c788f73a524b

SHA512
d53fdb8073dc172c9533d3a70c94d8dab3c8127bfbc017328b8c87a0d026a3a457d07430b0e6f3a5576fad4dae56ef180418ee10076ec5e4a659849e735491f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aa157a39321970f07da072bef1c3f536

SHA1
1bb35700d6b41210185547a9f5c4745f5b2e56a1

SHA256
7c1d7a189ca2cba64a096298f367deed729531d0593322d729ea93155f30dce6

SHA512
7815db87c30a6636393fb316f1cbfba81b9ee2a3da029728f29f8356c50c7e9d7a84127a91ff6de71a5623895ad8ccc5106fc8ce2b5d3dc4bb8a12c32d6056ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jumus.exe

Filesize
336KB

MD5
af2c316fc1721e0dbd7c7768e9cbda91

SHA1
4e393b309468f2f387c90f11cb489e16ba87fee6

SHA256
447669fce1aefdc851cdfa0231421e0d9bde3497b37937dcd137e1daa84398cc

SHA512
1860fc0ce95ae5d21e579b60def4740e85d13b03b46e4c88e11c516bc51fe3d8e71895af2a176d69ebb9522c566ed62f4fe3a05386faaf55232f544223e45352

Download Submit
memory/2136-20-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/2136-40-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/2136-11-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/2136-14-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2792-46-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2792-38-0x0000000000800000-0x0000000000802000-memory.dmp

Filesize
8KB

Download
memory/2792-41-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2792-37-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2792-45-0x0000000000800000-0x0000000000802000-memory.dmp

Filesize
8KB

Download
memory/2792-47-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2792-48-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2792-49-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2792-50-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/4400-17-0x00000000006D0000-0x0000000000751000-memory.dmp

Filesize
516KB

Download
memory/4400-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4400-0-0x00000000006D0000-0x0000000000751000-memory.dmp

Filesize
516KB

Download