urelas | d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
Size

337KB
MD5

21fc82e8da85bd4559bf9463b21daa93
SHA1

8cccfd8370ab062a34ad417d7869bfaab1992104
SHA256

d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a
SHA512

cb908c8bd1bf7e40d23d704ad942f264f0ce10715cb90b57045b7ad4954373f93eeae4e33dc58312358ed5e5b3e26d1c1040e7e384f84adf2f3dd5e0c763c65f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKog3:vHW138/iXWlK885rKlGSekcj66ciT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	tozuz.exe

Executes dropped EXE 2 IoCs

pid	Process
2248	tozuz.exe
4356	xucah.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xucah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tozuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe
4356	xucah.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2248	2692	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	83
PID 2692 wrote to memory of 2248	2692	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	83
PID 2692 wrote to memory of 2248	2692	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	83
PID 2692 wrote to memory of 2560	2692	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	84
PID 2692 wrote to memory of 2560	2692	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	84
PID 2692 wrote to memory of 2560	2692	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	84
PID 2248 wrote to memory of 4356	2248	tozuz.exe	104
PID 2248 wrote to memory of 4356	2248	tozuz.exe	104
PID 2248 wrote to memory of 4356	2248	tozuz.exe	104

C:\Users\Admin\AppData\Local\Temp\d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
"C:\Users\Admin\AppData\Local\Temp\d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\tozuz.exe
  "C:\Users\Admin\AppData\Local\Temp\tozuz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\xucah.exe
    "C:\Users\Admin\AppData\Local\Temp\xucah.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
e7e61a0f41fa47a08ecc1c01a21645c6

SHA1
faa399d6d1ce686f32c20fc6d42b52ab113ada96

SHA256
43c3026ec13d159889e3f7b0f1cb5b5ab6af294b0518dd6fb77dcc0ca11b154d

SHA512
1265ec182bb18e01356f71c0f8a164e6ba37d81b1b22874b83efc5c2e051eb1af037100441307ec2c93a6683f038d8755e93a93bd89501dc42c22416baab7d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ba6229698e3ed494fe47fe1da7e51882

SHA1
bc5f7a346500db0ef699793bd081fc080a3bf974

SHA256
5094385e5480a473dbf97372d126d705d26b0654ff84c42c466c33ee5a2e53f8

SHA512
05495601ed5187f3629b6f8ec93d56fc759039591482152d1c3c1ff46e266d426f4fa4f0da529925704c9b5b4354824c200b5b58f2bd3d6214548a99d62a1b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tozuz.exe

Filesize
337KB

MD5
70db355ae763c3a5fa2c679216482f9f

SHA1
e176b0bdadb1a38e3a1dac9f9d9e8b988c538aa9

SHA256
dbde85abf597998a343961089edeb437a528bc537b084c2981a096b6769ce3f7

SHA512
76db2e8fff570dff7bf3e7dab48509f110df3b4fe44a47bbab9e615182604aeb95fb3c6b0f8183beaf2b78bd55c4a37b2d2620f4200fd7c6ece147786d4d04e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xucah.exe

Filesize
172KB

MD5
e1b5380739da2d46d127df683a643c13

SHA1
5bba8529fac3f0bba75b214a39385461ead15495

SHA256
4b1fda04caf840c22a17ffb7fe501e3d39f0fc3b62d14258b786514c64eccfca

SHA512
5018a605c31006ab6fe68540ea3d2baac0adfcebe079a0f0de414b8afff91c7bc95ab54ba349afb4c290449002d79fc2c8f87ede3abafe426174378e8d8ed84b

Download Submit
memory/2248-21-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2248-44-0x0000000000150000-0x00000000001D1000-memory.dmp

Filesize
516KB

Download
memory/2248-13-0x0000000000150000-0x00000000001D1000-memory.dmp

Filesize
516KB

Download
memory/2248-14-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2248-20-0x0000000000150000-0x00000000001D1000-memory.dmp

Filesize
516KB

Download
memory/2692-17-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2692-0-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2692-1-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4356-39-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/4356-40-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4356-38-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4356-47-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/4356-46-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4356-48-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4356-49-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4356-50-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4356-51-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download