urelas | 94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2025, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Size

336KB
MD5

19b406150aae970923a4e9bc42c66055
SHA1

4e9391aa9520c698034cca8a91327ddd600e5a33
SHA256

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514
SHA512

f21ac5c482a4089248f113e3048b71c977764a53c2d962ccb4dc81475be4533d32bf496d776f5a9bc806281db5a6db5bb66e045a54047ad550d2cb81553bd1c6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoH:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mixyp.exe

Executes dropped EXE 2 IoCs

pid	Process
4536	mixyp.exe
2124	xitod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xitod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe
2124	xitod.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4536	3396	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	83
PID 3396 wrote to memory of 4536	3396	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	83
PID 3396 wrote to memory of 4536	3396	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	83
PID 3396 wrote to memory of 2044	3396	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	84
PID 3396 wrote to memory of 2044	3396	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	84
PID 3396 wrote to memory of 2044	3396	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	84
PID 4536 wrote to memory of 2124	4536	mixyp.exe	103
PID 4536 wrote to memory of 2124	4536	mixyp.exe	103
PID 4536 wrote to memory of 2124	4536	mixyp.exe	103

C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
"C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\mixyp.exe
  "C:\Users\Admin\AppData\Local\Temp\mixyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\xitod.exe
    "C:\Users\Admin\AppData\Local\Temp\xitod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a50f54bc29a7cdfb931e2bf8607a518e

SHA1
8b117c06e00f4d79b128f8367d6900d999e971cc

SHA256
84cae3b8371c6af45250f3a8eef7cba289acc45afc0c810acbaf4efabf9b48df

SHA512
be6afa81df2fc657bc6fa3978a6784fe16f3e6393b264b34164eff8f77794a0e34bf894e38dec5cc1c22138d65099053c0848839d87d46c4d4701b363c1fd322

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a8abd3476e7721678e20fe6291cf076c

SHA1
0ef123324f6d6bbc295459ccdaf8726386ac304f

SHA256
c90382379715127314c8a063d61c1386536b5ce44efad8ae7697faf341034c56

SHA512
88e8ecbdd022cef50015212186a8ac804c0167d394e6ad01d4e38c658571f077548bd44fd8f700d248bac329edad03d2c6661b10b5bc165a910f343d6aadd9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mixyp.exe

Filesize
336KB

MD5
d9739b6c74525f0751d696a9c0ac9632

SHA1
a22d8cc1533ef319c5e7fbb70f2b20f83619f206

SHA256
c6eb0d1fd8bc4daf99655decb1d4f244fdf4d6ed119a0ff77e1e8cf0210e0b21

SHA512
8b13d32e3825485cdd40eb295e8303ab55af68947cfef14e4f781548741adc1de1c428df527aea9bd0944db257d8a7b3f12c2fdefb0c40a4640d71ae17560e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\xitod.exe

Filesize
172KB

MD5
600a5f1ee3e96a4067a20071bfc080cb

SHA1
aa3a1f2a82a441c69254e13f911c75261d90d637

SHA256
411f63f05a1cfed9e090fce0b8bfbb7719d6d95c8ab5f7298116a9176585da75

SHA512
0aac668edbda0a8b66d6375e923b154878440a01ae214f8bf5f0b55bdaf09cff6b3d56c930334ba1c7254ef05de3946762872c86fbeb3f1410ede67d9fd6e23d

Download Submit
memory/2124-46-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/2124-47-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/2124-51-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/2124-50-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/2124-49-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/2124-41-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/2124-40-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/2124-48-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/2124-42-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/3396-17-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/3396-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3396-0-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/4536-21-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4536-39-0x0000000000030000-0x00000000000B1000-memory.dmp

Filesize
516KB

Download
memory/4536-13-0x0000000000030000-0x00000000000B1000-memory.dmp

Filesize
516KB

Download
memory/4536-20-0x0000000000030000-0x00000000000B1000-memory.dmp

Filesize
516KB

Download
memory/4536-14-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download