urelas | b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
Size

325KB
MD5

1ac972ef0744dbef4ae6ab6458c7db27
SHA1

5052cb948e325d158802300ca0121659383d525f
SHA256

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217
SHA512

90c009bdb0a1d6efdef9df59b7610657f5861ea34022dfd3600352e223fca846c3f7afeb174a63b305bb8d8de51bf6d2746dde4f22a0211024fb2bf07be035f0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYs:vHW138/iXWlK885rKlGSekcj66ciF

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1040	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ceruf.exepoogm.exe

pid	Process
1532	ceruf.exe
1788	poogm.exe

Loads dropped DLL 2 IoCs

Processes:

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.execeruf.exe

pid	Process
1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
1532	ceruf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.execeruf.execmd.exepoogm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceruf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poogm.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

poogm.exe

pid	Process
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe
1788	poogm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.execeruf.exe

description	pid	Process	procid_target
PID 1868 wrote to memory of 1532	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	31
PID 1868 wrote to memory of 1532	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	31
PID 1868 wrote to memory of 1532	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	31
PID 1868 wrote to memory of 1532	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	31
PID 1868 wrote to memory of 1040	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	32
PID 1868 wrote to memory of 1040	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	32
PID 1868 wrote to memory of 1040	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	32
PID 1868 wrote to memory of 1040	1868	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	32
PID 1532 wrote to memory of 1788	1532	ceruf.exe	35
PID 1532 wrote to memory of 1788	1532	ceruf.exe	35
PID 1532 wrote to memory of 1788	1532	ceruf.exe	35
PID 1532 wrote to memory of 1788	1532	ceruf.exe	35

C:\Users\Admin\AppData\Local\Temp\b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
"C:\Users\Admin\AppData\Local\Temp\b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\ceruf.exe
  "C:\Users\Admin\AppData\Local\Temp\ceruf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\poogm.exe
    "C:\Users\Admin\AppData\Local\Temp\poogm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1f38f267500bf1302dd62c8a89ebde92

SHA1
19f0298a9c2d4fa83e95a7e23229d220690e4cef

SHA256
017e6d14717a8ac8bfda1f0fea67192702d2180890d963c10d8dfebd214aac8d

SHA512
521e5c531bdcf352617d5f497a39ac3b5f332fb3f831b6eb20bf7273e044ebd8b360832f12185952758884053383d85358fe52d1941329e24f2f9c9786bfbd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceruf.exe

Filesize
325KB

MD5
3695b3f63279226bc84b2a63b67e6cef

SHA1
5812cb32717dd53d66668f31f2f1d2cd7055c842

SHA256
403277e516867bfee486b6556b18b64a63723cd0a1a79c52e869c5aa6ab7419d

SHA512
379595ccbbe5f3e629990e048aef7b0eabb3d083c6fc319c0d7b0341f65de385e4c1da5fcafe199b3ec2569f6e10bc3d1197b663a625544c9250bc9a0ca33459

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7ead9048922b54f9cf8f49d768f81063

SHA1
5e5bfefb214728e3d00ce4df14002109aa2c3c33

SHA256
f4bc80e977e5ef431062e9a4394db05f6b72b69b730e427a62c615ded69124d7

SHA512
f2b746b825497cfe2255dd17860df6f557bf24b751d66aa31e0381f3428e824d28b5841a3973a11b73c28bdb500f8daed25525dd0d8751a4a9cfaa8325f74922

Download Submit
\Users\Admin\AppData\Local\Temp\ceruf.exe

Filesize
325KB

MD5
b4d69e959e1d2a3943c178d74ea96ed4

SHA1
753550909228a1d795089cf4543d3c7e32577d56

SHA256
8b0a2042311ca4c0d873903185ca3f763bd33489419392cafae200d42b70c6b9

SHA512
deee0be6b6c19c27366997b30774b07cd2d4bf25112315a3b51ac37c46070fa415c4bce0002af0ec1fc0a9bac0e8bc0a5ee848200006b360143b3d12bcd3c9f7

Download Submit
\Users\Admin\AppData\Local\Temp\poogm.exe

Filesize
172KB

MD5
d86045f68f9acef5ab108cec3e91cc50

SHA1
9720d2d868a3f73611e947438864b4ab0e76010a

SHA256
fd3af39bfd8b10344565e50d4a44fbf0b4722db5c955f86719d9e5b5b6e1ad57

SHA512
1517267c761a005d6973451ee39e6545c47ac93d0dba5bb0d7c832e064b88dd5cd99983fb125da7c7f7a21056a1e1f9faf87d15e94df7c26e39354722c93ebb5

Download Submit
memory/1532-40-0x00000000033B0000-0x0000000003449000-memory.dmp

Filesize
612KB

Download
memory/1532-24-0x0000000001370000-0x00000000013F1000-memory.dmp

Filesize
516KB

Download
memory/1532-39-0x0000000001370000-0x00000000013F1000-memory.dmp

Filesize
516KB

Download
memory/1532-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1532-11-0x0000000001370000-0x00000000013F1000-memory.dmp

Filesize
516KB

Download
memory/1788-45-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/1788-42-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/1788-48-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/1788-49-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/1788-50-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/1788-51-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/1788-52-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/1868-9-0x00000000025A0000-0x0000000002621000-memory.dmp

Filesize
516KB

Download
memory/1868-0-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download
memory/1868-21-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download
memory/1868-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download