urelas | 8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe
Size

328KB
MD5

806e6a26699a3546344b9ff86ae56dd0
SHA1

fc102e45eabc6122eb62611967a8bc7ca6838b86
SHA256

8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814
SHA512

265403dcab08e465312a3130918c41ed7e811b3c736664e00cfb6411e0ac6046425e5afd21c4eb6067e9085425781cccb63e9fea85daead22e1b0cc4174cbf67
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYE:vHW138/iXWlK885rKlGSekcj66cix

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	vyfeq.exe
2856	upkid.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe
3012	vyfeq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyfeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upkid.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe
2856	upkid.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3012	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	30
PID 2752 wrote to memory of 3012	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	30
PID 2752 wrote to memory of 3012	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	30
PID 2752 wrote to memory of 3012	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	30
PID 2752 wrote to memory of 1644	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	31
PID 2752 wrote to memory of 1644	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	31
PID 2752 wrote to memory of 1644	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	31
PID 2752 wrote to memory of 1644	2752	8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe	31
PID 3012 wrote to memory of 2856	3012	vyfeq.exe	34
PID 3012 wrote to memory of 2856	3012	vyfeq.exe	34
PID 3012 wrote to memory of 2856	3012	vyfeq.exe	34
PID 3012 wrote to memory of 2856	3012	vyfeq.exe	34

C:\Users\Admin\AppData\Local\Temp\8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe
"C:\Users\Admin\AppData\Local\Temp\8e9a28e111ea671d25fa85f6543a4ebcdbb76c38ca05b9e5092846c4b065a814N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\vyfeq.exe
  "C:\Users\Admin\AppData\Local\Temp\vyfeq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\upkid.exe
    "C:\Users\Admin\AppData\Local\Temp\upkid.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d4f89033836f69ba1149587b91f3f401

SHA1
5d9f9b0ffa292d6771effd0b9ec4b0372fbbe764

SHA256
b0aac222ed1e3b18b5c4a4c019e5d60daa41ec493d2ccbb831c353b6b26f08b1

SHA512
903884f9635fc683b132ff27354e47de935215c8ead2781302d63d725167711d0e573f66bbf362f4c191cdf2aa09846cd122be63fbcbc14a33ee3532831fad54

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a536348cc6122573922e2ce2d89cdd08

SHA1
80864bfa02399e278ecaa57235bbf985eb5ab2c2

SHA256
244b3efdf1432e97914fb45299abcbe4d4bf2b5aac7808b63c18ba886790961d

SHA512
f558e53dc03ff4e75788308004e147a02e0ec16efb30ef6c8518e5b83c07e4a2841c04c076ffe0846ead5153fe4a89cdd5fbff51409ccbb62ee3105b9c6fb4bc

Download Submit
\Users\Admin\AppData\Local\Temp\upkid.exe

Filesize
172KB

MD5
cc763db1dcd710ca378067f2fdc23b60

SHA1
f2e071005ab47f93aae9dd3df9936ba102e1a0b2

SHA256
2f52003ed01c20d68d6bce27ada1674f9d60058b6c0e9cf848981063b334e051

SHA512
46ae641363728968cd9ecd6a855f9ebb7ebacdb45fc515473241945d0089398c7c0eb6530008352eae69eb9aaaff9fdfc3dfd1ceb2d22b112d15c0e7fe0303b1

Download Submit
\Users\Admin\AppData\Local\Temp\vyfeq.exe

Filesize
328KB

MD5
8093b3cfe992733a07d329ec0967f58a

SHA1
edc7fec6b17777a96559912151dbd7fe8db271ca

SHA256
8db611243abe0287521c788612ae98acdf4069b28eccc42bad16179ee4f8d6d2

SHA512
c7f3817baaf687297ee972f10d7ba412b45224e3840d7665ed36774e2f9ebd3d65b6f595bfa7b0e7f2d566fb3a29963d93638b085f6be351a568c8857199e6c1

Download Submit
memory/2752-10-0x0000000000D00000-0x0000000000D81000-memory.dmp

Filesize
516KB

Download
memory/2752-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2752-0-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2752-21-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2856-39-0x0000000000F00000-0x0000000000F99000-memory.dmp

Filesize
612KB

Download
memory/2856-43-0x0000000000F00000-0x0000000000F99000-memory.dmp

Filesize
612KB

Download
memory/2856-47-0x0000000000F00000-0x0000000000F99000-memory.dmp

Filesize
612KB

Download
memory/2856-48-0x0000000000F00000-0x0000000000F99000-memory.dmp

Filesize
612KB

Download
memory/2856-49-0x0000000000F00000-0x0000000000F99000-memory.dmp

Filesize
612KB

Download
memory/2856-50-0x0000000000F00000-0x0000000000F99000-memory.dmp

Filesize
612KB

Download
memory/2856-51-0x0000000000F00000-0x0000000000F99000-memory.dmp

Filesize
612KB

Download
memory/3012-24-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download
memory/3012-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3012-45-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download
memory/3012-42-0x0000000003450000-0x00000000034E9000-memory.dmp

Filesize
612KB

Download
memory/3012-11-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download