urelas | 6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
Size

331KB
MD5

58ce05c8d85a601405b81ccda398ccd7
SHA1

d62b4c797bc633d1f5a2c4972fb854bef98ed31b
SHA256

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842
SHA512

a4da37e691149968aa0917d153967c465cf87993baa6cceb6c9486d62bc0b82969cafb30e93518990ef471dcc88d94c6329fc80a3a58be67e2bdb95050354c0c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYd:vHW138/iXWlK885rKlGSekcj66ciQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2932	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

qyced.execojas.exe

pid	Process
1328	qyced.exe
1712	cojas.exe

Loads dropped DLL 2 IoCs

Processes:

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exeqyced.exe

pid	Process
2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
1328	qyced.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exeqyced.execmd.execojas.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cojas.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cojas.exe

pid	Process
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe
1712	cojas.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exeqyced.exe

description	pid	Process	procid_target
PID 2872 wrote to memory of 1328	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	28
PID 2872 wrote to memory of 1328	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	28
PID 2872 wrote to memory of 1328	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	28
PID 2872 wrote to memory of 1328	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	28
PID 2872 wrote to memory of 2932	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	29
PID 2872 wrote to memory of 2932	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	29
PID 2872 wrote to memory of 2932	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	29
PID 2872 wrote to memory of 2932	2872	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	29
PID 1328 wrote to memory of 1712	1328	qyced.exe	33
PID 1328 wrote to memory of 1712	1328	qyced.exe	33
PID 1328 wrote to memory of 1712	1328	qyced.exe	33
PID 1328 wrote to memory of 1712	1328	qyced.exe	33

C:\Users\Admin\AppData\Local\Temp\6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
"C:\Users\Admin\AppData\Local\Temp\6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\qyced.exe
  "C:\Users\Admin\AppData\Local\Temp\qyced.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\cojas.exe
    "C:\Users\Admin\AppData\Local\Temp\cojas.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a5b1795728b662942114fb3bc208d709

SHA1
06544a3822b6bf1cd7bbcb730865a8908d2ef784

SHA256
274009e193b1af404eaad6e63515a1bff124295973cfb179ce7bfe06ee04fec6

SHA512
fff863ea7228c3316d7437fa04c9d53e6d959ba9272db85feffb3becea34b642b21f37225559169acac5b0e1ca6facd03615d9755c804fdcf473557a344c142b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6fbc6773418392470b90760fb3f34841

SHA1
15dcc917e95a7f0a3fe6f22b31477ced83af7055

SHA256
d05f5c7b484f97329bb0b2543d42a3b4be99101107243fb782827fffb742d5fe

SHA512
240e0e258ebc58297eb137bbb2d853da995dd8992266b52f7b76f1bb7ac725da3d19baf8e1c42af3a06f7961df6249a329c3d4d1573a096ed91083a7229e4c27

Download Submit
\Users\Admin\AppData\Local\Temp\cojas.exe

Filesize
172KB

MD5
adb0254a2d1953f9c25f56640d5cc305

SHA1
f19fec03238eb6828255c8d6ce4d614a3711b58b

SHA256
44c4eab19b36d6ad23b9dbe160a7650696f17d898ed6298ad3dd0ac0a745b5ff

SHA512
1ed00af6216b5da567ad1055b9396d499f9a509f6bf2e16355fee2c4c8d95462d92e2dbdb300044b4863efeeb5e28f30229c69a565b02136bb5e02e07654eed7

Download Submit
\Users\Admin\AppData\Local\Temp\qyced.exe

Filesize
331KB

MD5
db01a29e739071bba88d44988cbc33eb

SHA1
6eb0cdaba172d41fcec38ebcb5554ace0a0cb55b

SHA256
1af2491119c4b9b078ad5ae5d2e5e0592cee0b75d05de3c29df9069a8c725b3c

SHA512
4de224bb9b9593b9fda36508aa3f3bdce86b8ce372429a5c15635327c3e058fe2d2bedf2cb4f0ef15dfb24c232661fb11ccf7cdff6e7b6399d131b2e4995bcb1

Download Submit
memory/1328-42-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/1328-24-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/1328-18-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/1328-38-0x0000000003440000-0x00000000034D9000-memory.dmp

Filesize
612KB

Download
memory/1328-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1328-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1712-44-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/1712-43-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/1712-48-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/1712-49-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/1712-50-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/1712-51-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/1712-52-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/2872-0-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/2872-21-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/2872-16-0x00000000021E0000-0x0000000002261000-memory.dmp

Filesize
516KB

Download
memory/2872-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download