urelas | cf5fcd1ce26d83b71539b0edc1208adec76cf97e232d8156c8adfddb9d65b437

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LisectAVT_2403002C_109.exe
Size

164KB
MD5

6dcfa266f1fa61e2c654eab023ee2333
SHA1

9e1f2e7c59a64168e9d12464d4839a6fc834645d
SHA256

cf5fcd1ce26d83b71539b0edc1208adec76cf97e232d8156c8adfddb9d65b437
SHA512

185c9e64f795d1518983a1662a656de7996064753ae4a8bf374de941d948d7a7600e99e495a5c2b8284f6b2978615a9fc979ba144d01cf3f07092f50cd9305f4
SSDEEP

1536:TBozpvLpc3lM8/KedqfTnB8Yux9W1jVTTZufp6kKZLVBzRIUggnZkHuoILpPhHqH:NUvLa3mfTpNuAkKZZBdBeHuoILpPKoxk

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1892 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

poldge.exe

pid process

3048 poldge.exe
Loads dropped DLL 1 IoCs

Processes:

LisectAVT_2403002C_109.exe

pid process

2932 LisectAVT_2403002C_109.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1892	cmd.exe

pid	process
3048	poldge.exe

pid	process
2932	LisectAVT_2403002C_109.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002C_109.exepoldge.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002C_109.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poldge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

LisectAVT_2403002C_109.exe

description	pid	process	target process
PID 2932 wrote to memory of 3048	2932	LisectAVT_2403002C_109.exe	poldge.exe
PID 2932 wrote to memory of 3048	2932	LisectAVT_2403002C_109.exe	poldge.exe
PID 2932 wrote to memory of 3048	2932	LisectAVT_2403002C_109.exe	poldge.exe
PID 2932 wrote to memory of 3048	2932	LisectAVT_2403002C_109.exe	poldge.exe
PID 2932 wrote to memory of 1892	2932	LisectAVT_2403002C_109.exe	cmd.exe
PID 2932 wrote to memory of 1892	2932	LisectAVT_2403002C_109.exe	cmd.exe
PID 2932 wrote to memory of 1892	2932	LisectAVT_2403002C_109.exe	cmd.exe
PID 2932 wrote to memory of 1892	2932	LisectAVT_2403002C_109.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_109.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_109.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af6f90fee60d60070d9076eba7533c76

SHA1
015da84cb0cfce8699e8b1937dfac54a15e7e792

SHA256
14360d90f621ef9e1d84b269de67f782c9f6a904cf3226c2724d4898c157b687

SHA512
53ce60ef6f9dc9241d106d4e160833430e7855a221babf9835578096313a7a8ba1285df8d5620850ffe9f41f860e04e758a2f0be6fe688a87ea13d780234c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
254B

MD5
a6fc5972d142fd74da41de5b0c86c553

SHA1
74c551de9a4782b40bbb3f95e9b4b97866f417da

SHA256
979d325a7f8b25b065f0335b5174b44bb167eadb2d0d94ba384a8fb6368b2ba1

SHA512
f25c2e2debc056dcd7ea87b287b8f3c665e28ae91833f8aeb043bc05a7244e716bdfffb385d7f93236cbc39983b8ec58e8010b5829e44ddee56ccf11122a0a87

Download Submit
\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
164KB

MD5
63b001078d86d01ba62fe619b96a75a8

SHA1
6ba21413e17e09e692d459667a6b761b092cf70d

SHA256
445ba0ccd26141c4b6ab1a10f7223b34a71f5b56fd68cf4676b30b18a4f46005

SHA512
e574b940e7f9075c9477042866ca8117186d64fc82a17ef9affde24417faa7e297ac0d554b78bd13c0cfa646a1478d895f0610646d411aafc1c9f3b7791c5657

Download Submit
memory/2932-0-0x0000000000D40000-0x0000000000D6F000-memory.dmp

Filesize
188KB

Download
memory/2932-6-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2932-18-0x0000000000D40000-0x0000000000D6F000-memory.dmp

Filesize
188KB

Download
memory/3048-10-0x0000000000EA0000-0x0000000000ECF000-memory.dmp

Filesize
188KB

Download
memory/3048-21-0x0000000000EA0000-0x0000000000ECF000-memory.dmp

Filesize
188KB

Download