urelas | 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
Size

330KB
MD5

a7fca01381772be5f88e3f4c59bb488a
SHA1

934e2a8dd0bf5fa61aa8809d73d7b46628812eea
SHA256

6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1
SHA512

d8def90bc95351068860d6cff6f0ce7a2857be86202980f0714d46d4cdf15901828ce49ea365e9990a609e12a82d5afa7ae2fd4cec7f74b39c51e384661dc282
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVq:vHW138/iXWlK885rKlGSekcj66ciEq

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1940	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2600	utxyi.exe
2868	jazuc.exe

Loads dropped DLL 2 IoCs

pid	Process
780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
2600	utxyi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utxyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jazuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe
2868	jazuc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2600	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	31
PID 780 wrote to memory of 2600	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	31
PID 780 wrote to memory of 2600	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	31
PID 780 wrote to memory of 2600	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	31
PID 780 wrote to memory of 1940	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	32
PID 780 wrote to memory of 1940	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	32
PID 780 wrote to memory of 1940	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	32
PID 780 wrote to memory of 1940	780	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	32
PID 2600 wrote to memory of 2868	2600	utxyi.exe	35
PID 2600 wrote to memory of 2868	2600	utxyi.exe	35
PID 2600 wrote to memory of 2868	2600	utxyi.exe	35
PID 2600 wrote to memory of 2868	2600	utxyi.exe	35

C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
"C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\utxyi.exe
  "C:\Users\Admin\AppData\Local\Temp\utxyi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\jazuc.exe
    "C:\Users\Admin\AppData\Local\Temp\jazuc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
163be0232365d7ce68accdc4efeda98e

SHA1
065d2753d718c85c30f13d29311e5f9f7d469e08

SHA256
5a99ed92dbb374a881252e400b55fc2e24a911772061d55953b45e07ce77e26b

SHA512
3f2d8da1b5c58a7e5832d1c1f2a25886365f83966aeb3e6230cabf42032e9067df5f6f4c08c4b7dd44406fc147cc5e9cd40906b546220568b579d1ef4d16ca18

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8ba13cd7181d55857793d92ec9e69e93

SHA1
15a1b9827cc04cf9e8725daf4ca76e2018972735

SHA256
25b0501785f4da7094df2096abdc1c4b1257bc24122cc21ae7646000f0123dbb

SHA512
40c6e4e6b1d75a606da5744c0b2f63b879ab8ca1f1d20ac816c0e1e43e933034ef8c8cc9aee64b00e9b229e4c88cf51288569dc3492b9c089e596e9a396599ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\jazuc.exe

Filesize
172KB

MD5
09153c73b3e64028d9d4beb1a4e67d11

SHA1
3982a8aacaf77f2a12dd371705a13f9f5eaf9842

SHA256
3682c4990f54259fff5b13379de6592fc9e23c0b114a4f141745cef375a9223c

SHA512
cab6be10b016f5f99e60c306a2b15457bde0b58ddce6517ef82a3453b87fe4fa9d902bcad8825e3dd8fc529d2c3c303ba3a8f74ee75e46cbadc80dfe8c61d75c

Download Submit
\Users\Admin\AppData\Local\Temp\utxyi.exe

Filesize
330KB

MD5
a752dab281bbaceca8e71a209827ec17

SHA1
eff7f16b8277bf859c91d12b5a45976422d1b4bd

SHA256
08cad97c768f32592bee54e14a78d7eb199f18389e6d67abd92bac016a7269dc

SHA512
8f2251cbcacecbb8c12f898f1470e2c897fb4c5055384908403227c823b42efd3deff99d35a53c5542bb3c911c6131e463f2f47ce285c8133d789f2764b5016b

Download Submit
memory/780-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/780-0-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/780-7-0x0000000002150000-0x00000000021D1000-memory.dmp

Filesize
516KB

Download
memory/780-20-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2600-41-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/2600-23-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/2600-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2600-17-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2600-37-0x00000000035D0000-0x0000000003669000-memory.dmp

Filesize
612KB

Download
memory/2868-43-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download
memory/2868-42-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download
memory/2868-47-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download
memory/2868-48-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download
memory/2868-49-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download
memory/2868-50-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download
memory/2868-51-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download