urelas | b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe
Size

326KB
MD5

dd9302be82e57d59ab5a6c4a424aa400
SHA1

df7211ed1d49b7cb0e1ea919137b83fc1ca944ab
SHA256

b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04
SHA512

aeb2261087939027844d5a488b7de6e3381e72dc7dceeaf27f07b8e2ce329535020245193a0ca5db091631cfded93b66786c546dba31fb0a46b09c2c93c14b01
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYf:vHW138/iXWlK885rKlGSekcj66cim

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2932	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

bukur.exekuqyj.exe

pid	Process
2840	bukur.exe
568	kuqyj.exe

Loads dropped DLL 2 IoCs

Processes:

b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exebukur.exe

pid	Process
2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe
2840	bukur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exekuqyj.exeb8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exebukur.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuqyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bukur.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

kuqyj.exe

pid	Process
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe
568	kuqyj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exebukur.exe

description	pid	Process	procid_target
PID 2112 wrote to memory of 2840	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	31
PID 2112 wrote to memory of 2840	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	31
PID 2112 wrote to memory of 2840	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	31
PID 2112 wrote to memory of 2840	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	31
PID 2112 wrote to memory of 2932	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	32
PID 2112 wrote to memory of 2932	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	32
PID 2112 wrote to memory of 2932	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	32
PID 2112 wrote to memory of 2932	2112	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	32
PID 2840 wrote to memory of 568	2840	bukur.exe	35
PID 2840 wrote to memory of 568	2840	bukur.exe	35
PID 2840 wrote to memory of 568	2840	bukur.exe	35
PID 2840 wrote to memory of 568	2840	bukur.exe	35

C:\Users\Admin\AppData\Local\Temp\b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe
"C:\Users\Admin\AppData\Local\Temp\b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\bukur.exe
  "C:\Users\Admin\AppData\Local\Temp\bukur.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\kuqyj.exe
    "C:\Users\Admin\AppData\Local\Temp\kuqyj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
7c8d66b2784794a913ad2727b704332a

SHA1
8d9f1a0c80d7633d1a6e33a5f5a196380ee4be12

SHA256
47a9c39242233e306122c0f22b453d94e58c1741a6c7fa55b5163a1fd1d1248b

SHA512
98a52e357eac539a65185ffc07043ac4f00337fcdba34706f672a4542680934eb30c9b70d8e0c2fc2237bc96769ed96fffb4e0627b0bc603c68acd86e83feccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cd3d1adc6a6fb3f4b16ecb6d8454c16f

SHA1
f07617979b6ac2b6e36f739d8b6ea1d4b55821f0

SHA256
87071ca557f893fd10b1f84af48d42cc0aecba2f404d2d7df606c6abeda871b6

SHA512
38f57ee153e27e688eff8d325412e17519d853e2de168f6cd9f1012edda68d0561d8b91c32b5eac2890ae0ae679fd223e5345833e1278135b252076aa81f3bae

Download Submit
\Users\Admin\AppData\Local\Temp\bukur.exe

Filesize
326KB

MD5
3ae22e3297300e49f99d1695ff9ce9b1

SHA1
2c430859f22318e0f79a880e8dda24b16e3f988d

SHA256
9743dcc1ce7721eb1abd8d81f429b6172ea1eeb1c0dc0af0b715bb2a15bdb893

SHA512
1b45a13ac0d4f3d9d77efe0946a131beb4c88a1c4bc37c096c000e139cbb3f01e3ff73f5b515fbb3bf8309ee18343d42f95e8970b7e4928ee949d23fddb4a93d

Download Submit
\Users\Admin\AppData\Local\Temp\kuqyj.exe

Filesize
172KB

MD5
6b51038180b70b6e4ea2055c6cc6d6ee

SHA1
ec40f95fb239e3a2a27b491c38a20d65aaf175bc

SHA256
4054d75d4cfb3c0bf71d4ca33691c12e74d5f467bc43e4a587e18ff06cefe433

SHA512
1eb30f221b008e170acbbc30c53c8b6a1fc96210576fc2eadca019f75b646a3755cce9537da51328608a7cfe6e886517e56bdd9c5d4e2e26b8285a3bae248845

Download Submit
memory/568-41-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/568-46-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/568-50-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/568-49-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/568-48-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/568-47-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/568-44-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/2112-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2112-0-0x00000000010E0000-0x0000000001161000-memory.dmp

Filesize
516KB

Download
memory/2112-19-0x00000000010E0000-0x0000000001161000-memory.dmp

Filesize
516KB

Download
memory/2840-37-0x0000000002E50000-0x0000000002EE9000-memory.dmp

Filesize
612KB

Download
memory/2840-40-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2840-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2840-23-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2840-17-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download