urelas | 46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 00:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
Size

371KB
MD5

daba502d270d8c7970e6413e70ad64f0
SHA1

64c12ff1354120dff0c71955d7639167941cd06a
SHA256

46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554
SHA512

a33791bb0d18cda7b3591b5f2088ed2f7f1c6f72d28cbf7ac34a49d60b4363f8f5866297c0a30616f74c6ccb256f98d88a97f4178d7a2387d8a3ccaecd94f2cf
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pl1:CzGL2C2aZ2/F1WHHUaveOHjT/

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1460	giviu.exe
2820	igdoc.exe

Loads dropped DLL 3 IoCs

pid	Process
1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
1460	giviu.exe
1460	giviu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igdoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giviu.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe
2820	igdoc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1460	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	31
PID 1416 wrote to memory of 1460	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	31
PID 1416 wrote to memory of 1460	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	31
PID 1416 wrote to memory of 1460	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	31
PID 1416 wrote to memory of 2960	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	32
PID 1416 wrote to memory of 2960	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	32
PID 1416 wrote to memory of 2960	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	32
PID 1416 wrote to memory of 2960	1416	46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe	32
PID 1460 wrote to memory of 2820	1460	giviu.exe	35
PID 1460 wrote to memory of 2820	1460	giviu.exe	35
PID 1460 wrote to memory of 2820	1460	giviu.exe	35
PID 1460 wrote to memory of 2820	1460	giviu.exe	35

C:\Users\Admin\AppData\Local\Temp\46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe
"C:\Users\Admin\AppData\Local\Temp\46b06d0169d9e4331fac4aa4bcc0af6b359f7c7cb287bf26af4744705eca7554N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\giviu.exe
  "C:\Users\Admin\AppData\Local\Temp\giviu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\igdoc.exe
    "C:\Users\Admin\AppData\Local\Temp\igdoc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
fed8c560b73e9461d78fc6e623425571

SHA1
93569ed3aed6cd3c92d4ee8d8b799110f408298a

SHA256
42542ad4667a0e43dff5283567dad6e8a2995366ba7547c822e5734fcd782100

SHA512
8a1077eaf322748550ab7ce22431c00b011858bdac085de84b9843b4e2efad4517bffa249f1115acff7a51c0e76e43972e73c9335679d8e5bce04af695b06310

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b80b9cab2ee251bc89460bc3180133a1

SHA1
822b8ca35650bba62449e3d2f88e302abdc0183b

SHA256
600c6ac49464a6d1f6dc5852d8b9b2f78d1a06d39d0c21d510c3f97779c67e5a

SHA512
f748a6df1980e1d7d787d92ce1e54925a4f770b55b8e94ba0dd3b70ed49e4a04bc02046bcd9459beb4101e63589a95d8dd46f8ed193b6779b2e042f30f27bc24

Download Submit
\Users\Admin\AppData\Local\Temp\giviu.exe

Filesize
371KB

MD5
1223ff2544de52398a3594b9030521b3

SHA1
3197a56f107c8c756389b09075c8e2bf0ef4b8b4

SHA256
b9f319607d80aa583f3910f8ccaf0b3b3383b24c04b6ed33a3244ea58b196a8d

SHA512
f8a4e1fb2061c092a09055bb56a857a189b6fd52b7ae1ff00d772f41b1bc194405791a2d7f7e1efa494ffbc8226e9a83c3de05665b6ed19fd99065f10e19792a

Download Submit
\Users\Admin\AppData\Local\Temp\igdoc.exe

Filesize
303KB

MD5
d5698d17994201c8a1fa206555f7e56b

SHA1
3a67945ba5edc3c4b503d6cce027c2d48f92fa12

SHA256
48c62e86bb798056644dc8b682cf758154b48ac2cd38360d9d5cdd2b806758e8

SHA512
bf1b4978e3327f3ed32f114c585f59e46e74119e0f441074fd6219bc6b048a5b42e4c3f35b5a78fa06de2db7f54b2a2e9c111a100393d85211e0e14baae9d161

Download Submit