urelas | cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
Size

334KB
MD5

d06332b00b98add142bc2aac5c94a0f2
SHA1

86258a7f35b74d6c62f5e2ae7ec05cacfb105012
SHA256

cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c
SHA512

7a18fa80b1cae818a595adf9be937562e8148ca189b8ee785fef5a24a56f2ecf3641ca5a2096377e88a8ed8248a691c0b4bf7a93fe9cb13c1c997393b8645373
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYp:vHW138/iXWlK885rKlGSekcj66ciE

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	sokon.exe
2688	uztuv.exe

Loads dropped DLL 2 IoCs

pid	Process
1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
2128	sokon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uztuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sokon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe
2688	uztuv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2128	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	30
PID 1832 wrote to memory of 2128	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	30
PID 1832 wrote to memory of 2128	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	30
PID 1832 wrote to memory of 2128	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	30
PID 1832 wrote to memory of 2404	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	31
PID 1832 wrote to memory of 2404	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	31
PID 1832 wrote to memory of 2404	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	31
PID 1832 wrote to memory of 2404	1832	cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe	31
PID 2128 wrote to memory of 2688	2128	sokon.exe	34
PID 2128 wrote to memory of 2688	2128	sokon.exe	34
PID 2128 wrote to memory of 2688	2128	sokon.exe	34
PID 2128 wrote to memory of 2688	2128	sokon.exe	34

C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
"C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\sokon.exe
  "C:\Users\Admin\AppData\Local\Temp\sokon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\uztuv.exe
    "C:\Users\Admin\AppData\Local\Temp\uztuv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
15820bc0f472e16c48367712bd45bc8a

SHA1
68b81be582dfe6da08dd2848db5309b4174e628f

SHA256
bb610dce6841a5444a54aaecea848fe5a3df3d83191371a57a844a87acb02fb1

SHA512
42643673844047646f4434a910876adf9b44b053ea6875e7df557bbbfcfe3d54900bc55ed37a7b42b3cfc7d0e1e5429fc4ddee766737f8c53417cc5a7b528bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e23c7f6e80cc792930b54c66703fc11a

SHA1
1ff4a940abb77b123ee64d4777b30fe2b251f21a

SHA256
87a9598c4de5b0c3e4f54b77adcd1c0c02bfcaf79ec41e1e7042bced8d268586

SHA512
c0a669c47a1acdc189e4714ca928a2782195555cf9a859ae1c36e9fa287bc17f4fa860e470a2fae9408554de51af554370a7e75007691446981dbc1b64389d37

Download Submit
\Users\Admin\AppData\Local\Temp\sokon.exe

Filesize
334KB

MD5
691b818c4f84d1606c12b7d1981bf8e8

SHA1
20bbe474d50c3e4dd4a6fb42bb573df80e30553f

SHA256
4c5304d540a9302093c0a4b431cbfdb25213335b675acc74eae90f6afd4663ee

SHA512
9749e9ce48a932451e66107413ec6f10ed8bf526707ddbb3ab0d001aa743eb08da5675d4bbd45b0e495d626d435bdd9b2d97ffce75f0d087c00d47a3b937025c

Download Submit
\Users\Admin\AppData\Local\Temp\uztuv.exe

Filesize
172KB

MD5
642798e9ef56459c758feb464db56c58

SHA1
473af29732118993fc5bc790eba345b1fd025589

SHA256
6d4055ad2a4d674c4c0a9cbcc7e2064eb950118a07880d8e63b76718fed4c8b4

SHA512
90af91ecda3a4b36c3b8cc4db9d3f22f5123a6a08a686746102cffdcdf9a84cad9ef5136431eb2d342bf0d109672a08450e512f661825d153f4fd48bf7ba1004

Download Submit
memory/1832-20-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/1832-0-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/1832-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1832-17-0x0000000002560000-0x00000000025E1000-memory.dmp

Filesize
516KB

Download
memory/2128-36-0x00000000032A0000-0x0000000003339000-memory.dmp

Filesize
612KB

Download
memory/2128-24-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/2128-18-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/2128-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2128-41-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/2688-42-0x0000000000DB0000-0x0000000000E49000-memory.dmp

Filesize
612KB

Download
memory/2688-45-0x0000000000DB0000-0x0000000000E49000-memory.dmp

Filesize
612KB

Download
memory/2688-47-0x0000000000DB0000-0x0000000000E49000-memory.dmp

Filesize
612KB

Download
memory/2688-48-0x0000000000DB0000-0x0000000000E49000-memory.dmp

Filesize
612KB

Download
memory/2688-49-0x0000000000DB0000-0x0000000000E49000-memory.dmp

Filesize
612KB

Download
memory/2688-50-0x0000000000DB0000-0x0000000000E49000-memory.dmp

Filesize
612KB

Download
memory/2688-51-0x0000000000DB0000-0x0000000000E49000-memory.dmp

Filesize
612KB

Download