urelas | ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
Size

336KB
MD5

af16791ad664dbfb2e700be33ef6833e
SHA1

200af680d9afd7478405ce73100275eb26dc451b
SHA256

ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb
SHA512

03b59cbff8889d256946b36507d8c460cc74536e76a52ed76c39bdb2b4c7f32d22ce2c33870a521cad376c759a85d6d4b4b08406916b7d566cfd0b3dd2b7c40e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrc:vHW138/iXWlK885rKlGSekcj66ci6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	izmix.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe

Executes dropped EXE 2 IoCs

pid	Process
3868	izmix.exe
1844	xedob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xedob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izmix.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe
1844	xedob.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3868	3076	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	84
PID 3076 wrote to memory of 3868	3076	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	84
PID 3076 wrote to memory of 3868	3076	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	84
PID 3076 wrote to memory of 2468	3076	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	85
PID 3076 wrote to memory of 2468	3076	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	85
PID 3076 wrote to memory of 2468	3076	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	85
PID 3868 wrote to memory of 1844	3868	izmix.exe	104
PID 3868 wrote to memory of 1844	3868	izmix.exe	104
PID 3868 wrote to memory of 1844	3868	izmix.exe	104

C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
"C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\izmix.exe
  "C:\Users\Admin\AppData\Local\Temp\izmix.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\xedob.exe
    "C:\Users\Admin\AppData\Local\Temp\xedob.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b4e79e0f794ffabf6e410d4b9d8ab9e2

SHA1
6f8bf0c97b7d39bd1603de5d4132db36ce0b402f

SHA256
4bf337a3b57c15ad8b0975636630e8db677a9c8301a5566dab44a584b1205be2

SHA512
9b955287ecf2d8f385d1235357fada05901cbd75572556d9efc4eb12073d3b7f34f190e53c3c8668db98cb5357f65c4fa2531cad26eaa85bf25011559570ec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4f71ef62e800d17d5527ad5015ade7cc

SHA1
9834029101a2b4057691da76c4d03272d6bf0d90

SHA256
d016892a06917f394c2eacce624901f9f68504785276a476f6c75163e5ae501d

SHA512
efd01855d9e763175ecc4ee509dc4e8f8ddd6da74f218a1d0c11c010c905b13d6cadf48091559b4bfb0e5ed37e5efbd25fdf56956833a712b5c2da9c826c4f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\izmix.exe

Filesize
336KB

MD5
7fb93d9bca15da654f466ed27befc77c

SHA1
725896dd59cc5b1356d112a25d13ac2ee99e0752

SHA256
617f4a1988b5fd79edc32683c9eb35a24aad5ae7cd4faf11eec22eebd011022a

SHA512
31e86fc5fa4d372d68418f0064ac39736f9c869d03a883971a5766bdfa08e2600c8d352a82995e244aea6d856577e5a6fb19c29f5fe99a3fe5be103c70a88147

Download Submit
C:\Users\Admin\AppData\Local\Temp\xedob.exe

Filesize
172KB

MD5
d95d13f9edaf101c26b09e485fc62f7a

SHA1
3703bbbdeadb965f2caaf504f3260c0b5155e775

SHA256
01ad297924063b92bfa6e097591ed9bab6418a71be4107337ea943e83756182a

SHA512
30159dd70693a802d5ffcc1f201c8211822a1b722c4cef41bc22948f3d3567aa2d6fa1bc27d92cdf0c0bf4534bb260720606661b34d07ff3dce40aca7481fb80

Download Submit
memory/1844-46-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/1844-47-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/1844-50-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/1844-49-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/1844-39-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/1844-48-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/1844-38-0x0000000000DC0000-0x0000000000DC2000-memory.dmp

Filesize
8KB

Download
memory/1844-37-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/1844-45-0x0000000000DC0000-0x0000000000DC2000-memory.dmp

Filesize
8KB

Download
memory/3076-17-0x0000000000510000-0x0000000000591000-memory.dmp

Filesize
516KB

Download
memory/3076-1-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3076-0-0x0000000000510000-0x0000000000591000-memory.dmp

Filesize
516KB

Download
memory/3868-20-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download
memory/3868-43-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download
memory/3868-14-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3868-13-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download