urelas | e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/10/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
Size

331KB
MD5

43ccc6958f91e07a407881b33286ef05
SHA1

7b2ce6400110ceb59534d4b181743db40817293d
SHA256

e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3
SHA512

42eff49833ea7f7af48eae35844ccc5c1b78eeda22362e38f37faff61540eb84de4ad32b7f7ee1f185ece81c157dbf883fa293678848dac0cf3c86811160fdfa
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ci9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
540	dofij.exe
2920	nozuh.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
540	dofij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dofij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nozuh.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe
2920	nozuh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 540	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	30
PID 1928 wrote to memory of 540	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	30
PID 1928 wrote to memory of 540	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	30
PID 1928 wrote to memory of 540	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	30
PID 1928 wrote to memory of 2424	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	31
PID 1928 wrote to memory of 2424	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	31
PID 1928 wrote to memory of 2424	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	31
PID 1928 wrote to memory of 2424	1928	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	31
PID 540 wrote to memory of 2920	540	dofij.exe	34
PID 540 wrote to memory of 2920	540	dofij.exe	34
PID 540 wrote to memory of 2920	540	dofij.exe	34
PID 540 wrote to memory of 2920	540	dofij.exe	34

C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
"C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\dofij.exe
  "C:\Users\Admin\AppData\Local\Temp\dofij.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\nozuh.exe
    "C:\Users\Admin\AppData\Local\Temp\nozuh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c3482ced7f644d94381c9b12ae15ecc2

SHA1
aee03a143b0d88848e660c6a06347c4d327b1a09

SHA256
ce3b22efc8692e1f90e4de419cc21f6b3306935da4224298008f4ab995b810fd

SHA512
560d86a27e2a4c897fc432f85e8f418d7002372d202bfd76e1ad16e6c671bbec0f66a60059dc1f5d518a183b77cca1f293ce0d735200c77f8d9a02f941cc1041

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f3b9f646776b9e716dce384ec23ad694

SHA1
1434d99e3ee3dc3d773836d2736e35728c3c1791

SHA256
e48ae4c57048eea62de2e4c041fc67fd28c0042e36a6c8c0c8cb8575dd9c5e53

SHA512
1566211d5910967599b5272b9f39651298d11798223d32b5fd76b4fc6124219faeafa5c34eaef73784e6124ea9bce4001c77a6a23bc8b459e0bfb66689e0af74

Download Submit
\Users\Admin\AppData\Local\Temp\dofij.exe

Filesize
331KB

MD5
b039d826e8584be7813c24f919d4d015

SHA1
dbc7f3391db0c3273575452a3a2a14423b5004c5

SHA256
0945611a6141666852e115292ec4158814e2bc36d936b7d2ccb150483fbfc14f

SHA512
b16cfc64f9cfaefcc1aea07d82f3f6f491fce1ee358d32693a85ce4bd7af388e2d77e08577515471d3d0439f3267ff6153dbb430f82fefe7be68ec66a4941c36

Download Submit
\Users\Admin\AppData\Local\Temp\nozuh.exe

Filesize
172KB

MD5
47fc581fb1b48370258fa2dfd0b5bb2f

SHA1
e9508bdc17ca8fe0757303db2693aaa0ab885ed4

SHA256
34b554942c151f38b3eaa37c8873280ac381f46bde7f1fe5046da6d82553aef0

SHA512
7a1a8732a5da9eb2eb865b9412a0b2e8b2b2f8e0300f3c26b7a3a0e8e64530cb03bf72de572425113295ed9f8c370e6550e22579630fbcd7735e450bb4e8a5f7

Download Submit
memory/540-10-0x0000000001090000-0x0000000001111000-memory.dmp

Filesize
516KB

Download
memory/540-37-0x00000000032D0000-0x0000000003369000-memory.dmp

Filesize
612KB

Download
memory/540-41-0x0000000001090000-0x0000000001111000-memory.dmp

Filesize
516KB

Download
memory/540-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/540-23-0x0000000001090000-0x0000000001111000-memory.dmp

Filesize
516KB

Download
memory/540-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1928-0-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/1928-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1928-20-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2920-43-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/2920-42-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/2920-47-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/2920-48-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/2920-49-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/2920-50-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/2920-51-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download