urelas | 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Size

337KB
MD5

e6b76480839da7c11075198a296521db
SHA1

16ea461d8ccd09bda7f9535d24448bc46d897425
SHA256

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60
SHA512

3f0a99d13b9a77f0570f45c9be72c0e52ae34101de65924ee6091e2df8238c1e9e433453569b17ed8caa142fb603c3c163574a9f19063b0793a56665dc4fc440
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKCM:vHW138/iXWlK885rKlGSekcj66ciZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	miajh.exe

Executes dropped EXE 2 IoCs

pid	Process
456	miajh.exe
5096	otlil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miajh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otlil.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe
5096	otlil.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 456	2012	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	84
PID 2012 wrote to memory of 456	2012	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	84
PID 2012 wrote to memory of 456	2012	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	84
PID 2012 wrote to memory of 2436	2012	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	85
PID 2012 wrote to memory of 2436	2012	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	85
PID 2012 wrote to memory of 2436	2012	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	85
PID 456 wrote to memory of 5096	456	miajh.exe	103
PID 456 wrote to memory of 5096	456	miajh.exe	103
PID 456 wrote to memory of 5096	456	miajh.exe	103

C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
"C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\miajh.exe
  "C:\Users\Admin\AppData\Local\Temp\miajh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\otlil.exe
    "C:\Users\Admin\AppData\Local\Temp\otlil.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a0c488d232db3ca63d36e74b97204d55

SHA1
208d0c1a9151a12e595a11e8619232e6cd127acb

SHA256
11b4793224a20e7bd0c38fc6fb7fb81bbe7aee3223dc73ba80bcddd263054c05

SHA512
73a0f5565c767226837add0668e88825f0cc18b90859b32225eb5e5da5d93002c8a8cda5a01c07d8539e205e9ce393deb745a99c5e207409b88aeac4327721d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
48012d7024fa7cf87b63ef2ca8006c79

SHA1
544f08ed5381ed2de1ed6b0d3003565227f132de

SHA256
24c5daa49591f1571e709feb480161957b6fa725a7817c9785ff06c999d2b2d6

SHA512
7d29dd241f3cb621183fb0c38bd3371cca46bced08bf2e3b0403f86a09662277c28c6153b0bd2f5853106ff33db73fb91bd38b60781bcbe0fbab760137de9a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\miajh.exe

Filesize
337KB

MD5
ed0e00f86ab4690bab18fa323da6a616

SHA1
a78c467c0909d46226d18dbdb662b5f07d9b9077

SHA256
70e6b4b6f953d465f64f184a2fb4feb8b30452d93e3527248811051736114696

SHA512
869efc8f9b62f5709cbb0c1f3fde4ea058999f7d40d86ba5c96022879de3487065f94933f14abad9aafebeaedb6bfc53104f5bdb6c828f951c50c5e9cf9afc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\otlil.exe

Filesize
172KB

MD5
19bd238ec168530721c50b107e9424c9

SHA1
609f0d6d5a5104aa4714ad6e079c42abd4eeaed7

SHA256
ae282ff4069e82a3c7933641e34479cfd77b0a02a398491ff115164f74734255

SHA512
496adbacb84ae1dc1a235a3860b22e9fe9edabeea3d7e9345789717a2853fbff92adca4950517d7c97e51584ee1ea6c3634619160abf655776fd1754cf1b39d8

Download Submit
memory/456-11-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/456-44-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/456-20-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/456-14-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/456-21-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2012-17-0x0000000000C70000-0x0000000000CF1000-memory.dmp

Filesize
516KB

Download
memory/2012-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2012-0-0x0000000000C70000-0x0000000000CF1000-memory.dmp

Filesize
516KB

Download
memory/5096-39-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/5096-38-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/5096-40-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/5096-46-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/5096-47-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/5096-48-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/5096-49-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/5096-50-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/5096-51-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download