urelas | 1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e

Analysis

max time kernel
150s
max time network
82s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-10-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe
Size

333KB
MD5

fe39ab628c336257757d361c4e2ad15f
SHA1

19092dbe91f5aa21fef42c5b4dc9a77329687dfb
SHA256

1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e
SHA512

e1e54485351358657f0f0c43a346947f5ad14e7f5c91d7a996bf82c0b93bb13f38341d6fd5ae129e7807979ea48e4fd747b2a8c299b2ce05e294e557f9af63dd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPl:vHW138/iXWlK885rKlGSekcj66ciQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	tizyj.exe
3060	xytoi.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe
2856	tizyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tizyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xytoi.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe
3060	xytoi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2856	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	29
PID 2220 wrote to memory of 2856	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	29
PID 2220 wrote to memory of 2856	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	29
PID 2220 wrote to memory of 2856	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	29
PID 2220 wrote to memory of 2116	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	30
PID 2220 wrote to memory of 2116	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	30
PID 2220 wrote to memory of 2116	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	30
PID 2220 wrote to memory of 2116	2220	1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe	30
PID 2856 wrote to memory of 3060	2856	tizyj.exe	32
PID 2856 wrote to memory of 3060	2856	tizyj.exe	32
PID 2856 wrote to memory of 3060	2856	tizyj.exe	32
PID 2856 wrote to memory of 3060	2856	tizyj.exe	32

C:\Users\Admin\AppData\Local\Temp\1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe
"C:\Users\Admin\AppData\Local\Temp\1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\tizyj.exe
  "C:\Users\Admin\AppData\Local\Temp\tizyj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\xytoi.exe
    "C:\Users\Admin\AppData\Local\Temp\xytoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
ecdfb2822e436b4370f4ff68f6b8dd12

SHA1
0eb1d15b139c0724b5c55f040548ff79aaae79a7

SHA256
5945a62e3aaec26468b4d9341914a60aad6fae87ddd562a43ac1b9a2599afd37

SHA512
870e83100f2e097f7c9b3d40ad2918a1bba006fb96c8e3fcf9eb858393ee5ecd8ad010d92bdf9c420a20d2fba5b8aeb448496a4734de38542c332f3afcb36d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
57080dc5d03379e438d4d20e8c9a556b

SHA1
3eb68023832a80b309ed0927ec349a44d01979a5

SHA256
46b5e0ff066ac4bd03500c24aac9a9ce17993483faed7137ef08330c27d72018

SHA512
cc4b0f76f4b5655603304c8970f65d731f1ee4a1a2f6112ee5dde8c8e21d29f5de1b245e8525753c111b895b7a0bf29ae894bab451fed214d88d67f7acee5273

Download Submit
\Users\Admin\AppData\Local\Temp\tizyj.exe

Filesize
334KB

MD5
12d50853f579b39d430a9608ec314682

SHA1
b1093cac5a0c668603fda4c3061bb55667b71630

SHA256
4903ac49f245c2d3f59fbbe95d09058b43f78e0b5f21de70526bf6cde5e701a5

SHA512
ec5446f5d8df74a09676f62f9db72508bb7f6e7e6309c24fc2628d6942e53d977a1ba91518165584c867d91aca2a8013ff028f020d7ebc09026ebfe8f2aa88d6

Download Submit
\Users\Admin\AppData\Local\Temp\xytoi.exe

Filesize
172KB

MD5
e9bd4b41861f87d3cd359541cf10d9da

SHA1
42fba9a48f792ec87f8fcce32d529c544e593173

SHA256
665762b3e9b24a52e46a281f4a8bff4c620b34c2b5bfb71174b2725cfe8f7056

SHA512
96f19ba3384c5653747f54edd1e977986caf1bd51647315f4a68d250c2a662ef32ddb860cc83b29e6bdbaf938d3ba48edc6c685f6ba67089e46e77300fd7d202

Download Submit
memory/2220-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2220-20-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/2220-0-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/2220-9-0x0000000002590000-0x0000000002611000-memory.dmp

Filesize
516KB

Download
memory/2856-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2856-23-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/2856-11-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/2856-36-0x0000000003A80000-0x0000000003B19000-memory.dmp

Filesize
612KB

Download
memory/2856-41-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/3060-42-0x0000000001390000-0x0000000001429000-memory.dmp

Filesize
612KB

Download
memory/3060-40-0x0000000001390000-0x0000000001429000-memory.dmp

Filesize
612KB

Download
memory/3060-46-0x0000000001390000-0x0000000001429000-memory.dmp

Filesize
612KB

Download
memory/3060-47-0x0000000001390000-0x0000000001429000-memory.dmp

Filesize
612KB

Download
memory/3060-48-0x0000000001390000-0x0000000001429000-memory.dmp

Filesize
612KB

Download
memory/3060-49-0x0000000001390000-0x0000000001429000-memory.dmp

Filesize
612KB

Download
memory/3060-50-0x0000000001390000-0x0000000001429000-memory.dmp

Filesize
612KB

Download