urelas | ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/10/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
Size

331KB
MD5

f0dd240cd2f939bac9a5cdeeaef5bd0f
SHA1

2e5da045a18a8fc6e5c511161b81e677f29b81c0
SHA256

ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6
SHA512

967b5ef74ea32b59dedbb1dc522157b80933585304f2c1f99e0605800599ec500d6325d6d1643566d7488d925756d2ffc79e4c851da3fd2df33b7f00e08ed09c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2492	ijigx.exe
768	fubys.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
2492	ijigx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fubys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijigx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe
768	fubys.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2492	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	30
PID 2972 wrote to memory of 2492	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	30
PID 2972 wrote to memory of 2492	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	30
PID 2972 wrote to memory of 2492	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	30
PID 2972 wrote to memory of 2768	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	31
PID 2972 wrote to memory of 2768	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	31
PID 2972 wrote to memory of 2768	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	31
PID 2972 wrote to memory of 2768	2972	ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe	31
PID 2492 wrote to memory of 768	2492	ijigx.exe	34
PID 2492 wrote to memory of 768	2492	ijigx.exe	34
PID 2492 wrote to memory of 768	2492	ijigx.exe	34
PID 2492 wrote to memory of 768	2492	ijigx.exe	34

C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
"C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\ijigx.exe
  "C:\Users\Admin\AppData\Local\Temp\ijigx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\fubys.exe
    "C:\Users\Admin\AppData\Local\Temp\fubys.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8cd3cff4178cc59d085a3ecf5839d45d

SHA1
bd0d82aa555476a6a8a90c114672006cb938cf4a

SHA256
ab7d42261a64ff50596b350a591c5365158319d569c6d29093ec63ff149c3010

SHA512
26d222a62bf883fbab1bac9b4dab8c019d313b76a6601c9549a0d6f3cb8c41db46ba5eac7d57709290244672561f64c46ab479be170209e67a035c686f311efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3155313fe0802c1b34d4e782e3f64316

SHA1
d0cfbc5446512be926e3e478b2592598b9d6cddb

SHA256
a8e36a78d4bf79d7e667934732727b8670fb410645c94ac658afa761e4581588

SHA512
8422e091f35dbd0e5cea7beb0b48047727710dc95b976bc049417195f45ead951079dd29abad0694c8f763362d2adc1da0bec34f670f461636fb10488dda6541

Download Submit
\Users\Admin\AppData\Local\Temp\fubys.exe

Filesize
172KB

MD5
f5572f78aff8f4608dbe920c436fde1a

SHA1
11e28e5b890462be4c2078e45922e27ca02b47bc

SHA256
7dd4ed74a74882ec7ab971373924e1d247437ffe6d0ffeb6d552a0be88f9eb73

SHA512
9bfbd5733165689fd3a680a8908f96394a503735550dc0aebd99779a9e0d02e94e84e93bed46e64200002a5e81753f7e13ef2e59a6447b95fbd87b41f808040b

Download Submit
\Users\Admin\AppData\Local\Temp\ijigx.exe

Filesize
331KB

MD5
803a5f881408751dff093a4154457421

SHA1
d3d55dec319d7a82fcf77d1321bc33206c3b77cc

SHA256
07179c6d1c27c67fc72071237100ff31845577744cad6f8fafe15b60f32699d4

SHA512
7f5252363bc351e851c7ab9d3d5ca2d01c8ebfdf1fd46388b1ce682319233d30f916a27dde41a243c4676f2fcfb40cb109a649990af49f828bcf38e58b62ae82

Download Submit
memory/768-52-0x0000000001170000-0x0000000001209000-memory.dmp

Filesize
612KB

Download
memory/768-51-0x0000000001170000-0x0000000001209000-memory.dmp

Filesize
612KB

Download
memory/768-50-0x0000000001170000-0x0000000001209000-memory.dmp

Filesize
612KB

Download
memory/768-49-0x0000000001170000-0x0000000001209000-memory.dmp

Filesize
612KB

Download
memory/768-48-0x0000000001170000-0x0000000001209000-memory.dmp

Filesize
612KB

Download
memory/768-44-0x0000000001170000-0x0000000001209000-memory.dmp

Filesize
612KB

Download
memory/768-43-0x0000000001170000-0x0000000001209000-memory.dmp

Filesize
612KB

Download
memory/2492-25-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/2492-38-0x0000000003570000-0x0000000003609000-memory.dmp

Filesize
612KB

Download
memory/2492-42-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/2492-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2492-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2492-19-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/2972-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2972-21-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2972-17-0x00000000020F0000-0x0000000002171000-memory.dmp

Filesize
516KB

Download
memory/2972-0-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download