urelas | 4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe
Size

330KB
MD5

9ef1fa025984f1809c6e2b50323203b0
SHA1

8dc7817731dd61874c7c559ebcd141d507066ff5
SHA256

4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea
SHA512

3ea3c64ce303f8410bc05ec58f3bc2b5c99281d20d3899098c1d1266ded626152de51e586dea272e6df0f3b3c7d180675b46124672d90671aa42d2d1acc9edb4
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66civ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1300	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2836	roybn.exe
2144	domuv.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe
2836	roybn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roybn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	domuv.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe
2144	domuv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2836	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	28
PID 2896 wrote to memory of 2836	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	28
PID 2896 wrote to memory of 2836	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	28
PID 2896 wrote to memory of 2836	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	28
PID 2896 wrote to memory of 1300	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	29
PID 2896 wrote to memory of 1300	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	29
PID 2896 wrote to memory of 1300	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	29
PID 2896 wrote to memory of 1300	2896	4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe	29
PID 2836 wrote to memory of 2144	2836	roybn.exe	33
PID 2836 wrote to memory of 2144	2836	roybn.exe	33
PID 2836 wrote to memory of 2144	2836	roybn.exe	33
PID 2836 wrote to memory of 2144	2836	roybn.exe	33

C:\Users\Admin\AppData\Local\Temp\4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe
"C:\Users\Admin\AppData\Local\Temp\4cba7ca7ea7812ea7715d1307891c57b554d7a7152478af307ec295e253c57ea.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\roybn.exe
  "C:\Users\Admin\AppData\Local\Temp\roybn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\domuv.exe
    "C:\Users\Admin\AppData\Local\Temp\domuv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a2abbf962ec82e46065d4c5e7cfe82de

SHA1
d370e873e57d2fba79b861eee1d277c0493aee86

SHA256
3d75b0030c33359f6484f8822725cbc0d10dc5867e28f307b70c840bd8a46fea

SHA512
dc16fbe345906ea0064f6d292e425533f0f69135d076da0b59c3cef3e7f3520e873ddd0cb2e7bf5abdde24465a09484faab8556340ce3601b3f78cdb7e665237

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d799900454483e73625888a83c10ab0a

SHA1
50af20eb56cca92bc9103659f21c1acf76259858

SHA256
9cb0554db00339571138bfd897c27f00fbfeefc25f793d738fda2bfdcf1a5fed

SHA512
3cf54e381c98e302e003d4efd3099a02decd081ac8ca4db5d60a5b626e0da83acb8b19f9141c79bbfa810486676690aa7fe9dae64313fd9feb440a5c029b54b8

Download Submit
\Users\Admin\AppData\Local\Temp\domuv.exe

Filesize
172KB

MD5
0c93c82d396b19f38e361867451a0f2c

SHA1
74253f1539cb2544f79a7139ccd58193a0a193c4

SHA256
d4ed12e2c508ea86292571de2bad262ac2bf92901b44b320ba49e48e5536d1c8

SHA512
3b75276991e72730e0e34376c253726155a0451660edd86e422ff56d8ca9128f8710aabc9f5d59597e98044d2694a63abc443e56634f3e6145600c1e4f6701a7

Download Submit
\Users\Admin\AppData\Local\Temp\roybn.exe

Filesize
330KB

MD5
92582aea6f2764764f4ead59a21eeb4e

SHA1
810a3435b91b0530e2069ddb981e4e565e612a01

SHA256
0e1fef9564e121e3aa5371a392fd42add26c997861b367664bdb66c5b51b0e49

SHA512
89f5fd925d97c0e1918c08c27db1e89b884724506327b1ccde8bbc27e01ad25d2760f3693be643585955e30d6b3b62a82107ae1999f75ef73cf9d49d073a1c1f

Download Submit
memory/2144-52-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2144-51-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2144-50-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2144-49-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2144-48-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2144-43-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2144-44-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2836-42-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2836-38-0x0000000003240000-0x00000000032D9000-memory.dmp

Filesize
612KB

Download
memory/2836-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2836-24-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2836-18-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2836-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2896-0-0x00000000010B0000-0x0000000001131000-memory.dmp

Filesize
516KB

Download
memory/2896-10-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/2896-21-0x00000000010B0000-0x0000000001131000-memory.dmp

Filesize
516KB

Download
memory/2896-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download