urelas | 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe
Size

331KB
MD5

04585503f45c29d7aed015e16dfe1682
SHA1

59536b0d44f93421d6179d63866f9d49fc83d6f5
SHA256

965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda
SHA512

beaed660a7fd8123b30c2610e16dca0f488b4f292d85e0eafa418a1cb1f02a47be68c00c9277a10664d31e01797f24fa7aaeb31afed09143ec55406adfe4eb22
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYN:vHW138/iXWlK885rKlGSekcj66ciw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	puxor.exe
3000	fivib.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe
2152	puxor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puxor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fivib.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe
3000	fivib.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2152	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	30
PID 2128 wrote to memory of 2152	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	30
PID 2128 wrote to memory of 2152	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	30
PID 2128 wrote to memory of 2152	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	30
PID 2128 wrote to memory of 2884	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	31
PID 2128 wrote to memory of 2884	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	31
PID 2128 wrote to memory of 2884	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	31
PID 2128 wrote to memory of 2884	2128	965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe	31
PID 2152 wrote to memory of 3000	2152	puxor.exe	33
PID 2152 wrote to memory of 3000	2152	puxor.exe	33
PID 2152 wrote to memory of 3000	2152	puxor.exe	33
PID 2152 wrote to memory of 3000	2152	puxor.exe	33

C:\Users\Admin\AppData\Local\Temp\965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe
"C:\Users\Admin\AppData\Local\Temp\965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\puxor.exe
  "C:\Users\Admin\AppData\Local\Temp\puxor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\fivib.exe
    "C:\Users\Admin\AppData\Local\Temp\fivib.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7e54542f6006fc0f7e9a20a367042d0b

SHA1
1876a468b71c69440b14b151cec2b236d5da990c

SHA256
e0f9e746e86d81c2b292190ecf44fe2b9f877a9dbe4cbd5f50332059032a29f4

SHA512
5a14eb1d1b7b3dda369faef1dc3995af591740cc98750e8368889e97d2afea13153eaacf87c9e02998fa5cac9711a0ae2c0964c56fd0683d0622702bfe423cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2da2b1fa4348105386817726cb3a2140

SHA1
d1524396088686ffca98559a670648924896a574

SHA256
3bc5f756e14f6d4748dd964df9eac86666b0ce4dd82b06518f9df563cf2dd091

SHA512
d4d9b49d018dc88f613516e7c141e236e9f76e0a02fac129fd0b34a159709cdb5370e58cbf0fc55215ce1d8d02eb1a43736e69df571c6754903f70dc3826ef65

Download Submit
\Users\Admin\AppData\Local\Temp\fivib.exe

Filesize
172KB

MD5
d124756e342c2f4842d02bb2959b062d

SHA1
e29bf65a1b173466e431139b92cad0d8ea561cd4

SHA256
5847417812ac40ee9c5084d3909f1906332164b527fbd5a18e71ed36d7bc436d

SHA512
98f37a3502ab31e2c1f374ca40e4a08922105bf73357121046240d40a4580de39df957fbfafcaf3255782712213ad619a7320152eec5b35565eb09919ad0b497

Download Submit
\Users\Admin\AppData\Local\Temp\puxor.exe

Filesize
331KB

MD5
7a44b712cd0d5723b07eea301aab2399

SHA1
3ff58975eab41d5392d3e7b856487e1d9fc74f41

SHA256
a1a13da677134d78df64c1b771d5763b4cc3c26ccd2c896ce5c01edf2e608ca8

SHA512
43430765d044cac3a8f46052625f05d886ea1e262f680d32efc7facea967220c01d82ee8733b33f4730d5bd7411e95821421b93d60b6dff989afa560a13e9115

Download Submit
memory/2128-0-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2128-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2128-10-0x0000000002710000-0x0000000002791000-memory.dmp

Filesize
516KB

Download
memory/2128-21-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2152-24-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/2152-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2152-11-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/2152-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2152-42-0x00000000037C0000-0x0000000003859000-memory.dmp

Filesize
612KB

Download
memory/2152-41-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/3000-44-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-43-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-48-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-49-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-50-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-51-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-52-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download