urelas | 680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e

Analysis

max time kernel
150s
max time network
92s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
Size

329KB
MD5

7b3bf7bfd2f0a2aebfa9fdcb9f086770
SHA1

07b2ba679d18619d522fa3be509f2c2e00b24789
SHA256

680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e
SHA512

b28c22a9a014a059d6fcadeefa97da1c318abacb6b52f85970661b049d5d09c3671b1ca22b9aab317bc337c62929cfc2be7cb86e4d7a237cab0b75d806705753
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYoY:vHW138/iXWlK885rKlGSekcj66ciu

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2512	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	kotuv.exe
2108	gubel.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
3068	kotuv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kotuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gubel.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe
2108	gubel.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3068	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	29
PID 2412 wrote to memory of 3068	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	29
PID 2412 wrote to memory of 3068	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	29
PID 2412 wrote to memory of 3068	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	29
PID 2412 wrote to memory of 2512	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	30
PID 2412 wrote to memory of 2512	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	30
PID 2412 wrote to memory of 2512	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	30
PID 2412 wrote to memory of 2512	2412	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	30
PID 3068 wrote to memory of 2108	3068	kotuv.exe	32
PID 3068 wrote to memory of 2108	3068	kotuv.exe	32
PID 3068 wrote to memory of 2108	3068	kotuv.exe	32
PID 3068 wrote to memory of 2108	3068	kotuv.exe	32

C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\kotuv.exe
  "C:\Users\Admin\AppData\Local\Temp\kotuv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\gubel.exe
    "C:\Users\Admin\AppData\Local\Temp\gubel.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
af5416b8428b7024077aca61c2fbc1e8

SHA1
6b1b9c4ff6c207c84eb39368680a8306bf800a3c

SHA256
31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3

SHA512
2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6787e349d981a5d45797c00921d76359

SHA1
82142095f935c119eb12ce366d74f074e365b540

SHA256
2b7727fc94470d2c4bfa9d9e254d7f0ce7cf0f1ff90b00faa997d300b14f8b0c

SHA512
ea5f369b102c4b340aa4a1d78a270332eaef4ee5bfa1e1faea7865906763c5d1fdc6e405af067851288e7b62e6fc7ab1514aa991f814c09464a23abb8159b4be

Download Submit
\Users\Admin\AppData\Local\Temp\gubel.exe

Filesize
172KB

MD5
88a58f50cd8a744b697447fcceeb06e6

SHA1
b925fca0a426b79c57b86478400517895fe63b02

SHA256
94292c7486dee1f423f606b13ecde7eee8b6837af8d6bd56bc079a6b57436e84

SHA512
f9dd6a4186fb9eff1db23d6cc08e9ad44d7dde8d8427b650b1d124f1cd2803b746002ba00e99341717969ea640799c8d46a78d7795187351c566ddcbeb14319d

Download Submit
\Users\Admin\AppData\Local\Temp\kotuv.exe

Filesize
329KB

MD5
aeb1d50ed35297feff19de28117aff39

SHA1
840ee824e7c8f20d6960086e07d6889424b77bd3

SHA256
883f8b64d30ac6ab62f3b7d39bcd685582e701f18b13a0d9169b0e24d8112d96

SHA512
ebe700322a282de0fab7ebcc362f32a2bb1eccacfbc3663e0fa7400fbdb0a625ea6ed6071dd48feb317039ee2039fc28fcd97029c2c1047f7bf5960cccbedaed

Download Submit
memory/2108-44-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2108-49-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2108-52-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2108-51-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2108-50-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2108-48-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2108-43-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2412-0-0x0000000001120000-0x00000000011A1000-memory.dmp

Filesize
516KB

Download
memory/2412-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2412-21-0x0000000001120000-0x00000000011A1000-memory.dmp

Filesize
516KB

Download
memory/2412-9-0x0000000000D20000-0x0000000000DA1000-memory.dmp

Filesize
516KB

Download
memory/3068-37-0x00000000035B0000-0x0000000003649000-memory.dmp

Filesize
612KB

Download
memory/3068-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3068-42-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/3068-24-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/3068-17-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/3068-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download