urelas | cfdde0804dccc58de0f14e601521bb964160fb47184c0e007a0c2727164a8411

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe
Size

448KB
MD5

726ec9f9f326359f6a2203567e629c8a
SHA1

88bd124d942a431d096c8fadffa3901cbd7888cb
SHA256

656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097
SHA512

0c2f5997f0baa395b871aab739d04d21e5ef6257f4008c0332483c3bf2541cf3cec8fb81d9964d64ab26832dacf720455ab653484d1f5b4cfb4ab2e6726c9305
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpomn:PMpASIcWYx2U6hAJQn6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2824	dokak.exe
2752	saipwu.exe
2896	vibib.exe

Loads dropped DLL 3 IoCs

pid	Process
1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe
2824	dokak.exe
2752	saipwu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dokak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saipwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vibib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe
2896	vibib.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2824	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	30
PID 1620 wrote to memory of 2824	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	30
PID 1620 wrote to memory of 2824	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	30
PID 1620 wrote to memory of 2824	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	30
PID 1620 wrote to memory of 2968	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	31
PID 1620 wrote to memory of 2968	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	31
PID 1620 wrote to memory of 2968	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	31
PID 1620 wrote to memory of 2968	1620	656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe	31
PID 2824 wrote to memory of 2752	2824	dokak.exe	33
PID 2824 wrote to memory of 2752	2824	dokak.exe	33
PID 2824 wrote to memory of 2752	2824	dokak.exe	33
PID 2824 wrote to memory of 2752	2824	dokak.exe	33
PID 2752 wrote to memory of 2896	2752	saipwu.exe	34
PID 2752 wrote to memory of 2896	2752	saipwu.exe	34
PID 2752 wrote to memory of 2896	2752	saipwu.exe	34
PID 2752 wrote to memory of 2896	2752	saipwu.exe	34
PID 2752 wrote to memory of 2928	2752	saipwu.exe	35
PID 2752 wrote to memory of 2928	2752	saipwu.exe	35
PID 2752 wrote to memory of 2928	2752	saipwu.exe	35
PID 2752 wrote to memory of 2928	2752	saipwu.exe	35

C:\Users\Admin\AppData\Local\Temp\656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe
"C:\Users\Admin\AppData\Local\Temp\656b2a66c22215139e2dbadbe3fdda91bb50c0661408f626599519157b3d0097.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\dokak.exe
  "C:\Users\Admin\AppData\Local\Temp\dokak.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\saipwu.exe
    "C:\Users\Admin\AppData\Local\Temp\saipwu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\vibib.exe
      "C:\Users\Admin\AppData\Local\Temp\vibib.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
92ab383871132f15bd5e0c0c27e37e1e

SHA1
3ec2d9ede0c8063bdf4c4ebf10769e9f230c9e13

SHA256
293e5c110c5babc0014225a85d4865e4e4f7b494f9e47066242574a787abc8b2

SHA512
74f0cd12d3afa1e014bd8c6f03f1b6cc87e5afbae48f68f04458f41568046df46ae4b813b85fd4f154d97d1055f841552169a00a603c6777599dc62f1b2d3f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c48ae6bdaa1e944f788d978682732a11

SHA1
944ac2a5fd7dff5c86c0049bc74d9a34543a3fc0

SHA256
060a2cd09817bd2987af09f5292c0c87772abe8d04790f346b44413f5b4fa99f

SHA512
864144b536dafc0231c4666300e919ddf2a671f1a212da60e74f26f4eb43de42f26fad710f51302bb82c8dc7e4aa81a57bccaf754e29da5b3cee607a1a830525

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8140a5630fbc82d410f15627bfd5f97e

SHA1
74083f440c2d31072c0c8e2de55af3ababa4d954

SHA256
94cdc817fb43b19cbbf7d4c3b930f5c5d8b513297493b7105a03aacc442286dc

SHA512
1994f537a57da4bc5df88143183bfa7c06e89c9637eaf975ba00b8375ae20c3704536ef44e290bcea177be73e0f2d1479bddf82a392060d92cfe4824f1864f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\saipwu.exe

Filesize
448KB

MD5
99c4b2b91aab0df35de4584fc4acea26

SHA1
409605b2f80f34a24b31ab45aefa1ecf3ca84c32

SHA256
6660c8b8aa5e60ef90f7fe4681746075982204a755330acaa15a8d55f0c2f1e2

SHA512
68fb5481edc37921f37378b1bd456891dcdc1f6b2ebf0c4477fc9904ce848f38a52f60175dd6450945e76a1a1e5b64d4b01d1589b682d0b36a99ed4bcb331aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vibib.exe

Filesize
223KB

MD5
0364128ed43565b7cf4ab64685fc318f

SHA1
e1fccc9580047497edd187aac9cb7c0360330d09

SHA256
a229a2dc84704e9134da34b2473064511cb888dac913f3aff484261eee24e9aa

SHA512
e62f8a204553a567263059e29edc662ca3a27524d06d0ed4543c7c082fdc0cfaa15971418fd031cb1c5bf5d6bcd53bb277ba50ee17c69d47a4bd711c232129f0

Download Submit
\Users\Admin\AppData\Local\Temp\dokak.exe

Filesize
448KB

MD5
e487a515eeab5801ea4a491f8218fedf

SHA1
3ad726a9dff716ea217a31ede538bf6b51e4eaa5

SHA256
d1d8fcd7df40b931988a6d58d787f06614184f60179b86e0841d0eb18538c6d7

SHA512
f9c31cf563d2c4ae22e6da3623a5f559b985d4a252c801dc169d5e36bf6b7f9fab8f31153ad9a2aa586aa2c2fddfa846f5208eec31f4d6aacc639ba0e337e703

Download Submit
memory/1620-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1620-17-0x00000000024D0000-0x000000000253E000-memory.dmp

Filesize
440KB

Download
memory/1620-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2752-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2752-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2752-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2824-27-0x0000000003770000-0x00000000037DE000-memory.dmp

Filesize
440KB

Download
memory/2824-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2824-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2896-47-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2896-51-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2896-52-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2896-53-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2896-54-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2896-55-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download