urelas | 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe
Size

333KB
MD5

8dd4853010e7db531898aa198b116300
SHA1

839c24033a06b4f9ff2abd065f12cbdec61d83e0
SHA256

2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f
SHA512

1be5cbce7454acf89b94ec27ef1f9c74c3a8ef53bb6a93dc3ca9243ef9a5d612b1400d7215a4107e95512f7f073c65e3ba7d90f735db74c990830acf0444b5f6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9W:vHW138/iXWlK885rKlGSekcj66ciWW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2832	bufyh.exe
2072	tykub.exe

Loads dropped DLL 2 IoCs

pid	Process
1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe
2832	bufyh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bufyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tykub.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe
2072	tykub.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2832	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	31
PID 1740 wrote to memory of 2832	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	31
PID 1740 wrote to memory of 2832	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	31
PID 1740 wrote to memory of 2832	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	31
PID 1740 wrote to memory of 2152	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	32
PID 1740 wrote to memory of 2152	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	32
PID 1740 wrote to memory of 2152	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	32
PID 1740 wrote to memory of 2152	1740	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe	32
PID 2832 wrote to memory of 2072	2832	bufyh.exe	35
PID 2832 wrote to memory of 2072	2832	bufyh.exe	35
PID 2832 wrote to memory of 2072	2832	bufyh.exe	35
PID 2832 wrote to memory of 2072	2832	bufyh.exe	35

C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe
"C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\bufyh.exe
  "C:\Users\Admin\AppData\Local\Temp\bufyh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\tykub.exe
    "C:\Users\Admin\AppData\Local\Temp\tykub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6fadf302779de6a35911ec20f44eaa9c

SHA1
badefcb45d3e18eb9a4af1b8f9b53ba321fd4d26

SHA256
80beb48d4f4f11b66385e3347cb54777a8376fc918532c6def8af74f6ee9e4a0

SHA512
be028304116ebc759a74721b3d98f97f5948dcdd0767ad86a91e21daec21bd87407ce885c4c7e08f609d1ce89044bdbb04e6db2f1107b73bf344c74993d45001

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dcdf93d2677f7dcf46f25f74a2ff2ff1

SHA1
d2bc78d672719cbce5a0339b93e639c0711639b6

SHA256
df874fba81fc6cef5806fc84c0a0b56c2824a5e642c28db5ae7fd41de171d190

SHA512
1c84183a47c30370e8aabc8ac1c3ca24c9979fba67cdc90f4a30d3f1168b8a1bc61c9ebc98b0b020d6ea9f516b18e8792256dcb73b8cdbb13c8e7b4af04e7831

Download Submit
\Users\Admin\AppData\Local\Temp\bufyh.exe

Filesize
333KB

MD5
75b3d905093d3f8e5317b132552cf98a

SHA1
58d4d9509987db2bd28df627137c98ed32590c29

SHA256
4a2cfe148d6b4be78e69dc5b2eaa733a3cbbd2f1fa2d36a8bbb4ebfe59c308d4

SHA512
a1fa0adc1711b118b0956a8783969a3703a1cce476a8a47b07d642e3e8cd83671ae0d1fb10fa49c2a5218c44341b838480832417714cfceb7c7a363dcd3866cb

Download Submit
\Users\Admin\AppData\Local\Temp\tykub.exe

Filesize
172KB

MD5
8de3fc673693cdb0a0a0db60ad0de61e

SHA1
2e890befad494f0351d5c0b76419c6cbe9527f34

SHA256
735efafa84aa38cd57802c28a98c6022b4bb08d05245c58bba126babcdc83c97

SHA512
68528025471bbd479f2a352ca97dd2831691ea63205cd5c6f9049bd192e7d9c6006cdaa7d32aa5455403e54e7457d6c83c695a5c1e7998b36ec24ec876e7782f

Download Submit
memory/1740-0-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/1740-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1740-9-0x0000000002560000-0x00000000025E1000-memory.dmp

Filesize
516KB

Download
memory/1740-21-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2072-44-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2072-42-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2072-48-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2072-49-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2072-50-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2072-51-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2072-52-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2832-24-0x0000000001390000-0x0000000001411000-memory.dmp

Filesize
516KB

Download
memory/2832-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2832-11-0x0000000001390000-0x0000000001411000-memory.dmp

Filesize
516KB

Download
memory/2832-38-0x00000000035B0000-0x0000000003649000-memory.dmp

Filesize
612KB

Download
memory/2832-43-0x0000000001390000-0x0000000001411000-memory.dmp

Filesize
516KB

Download
memory/2832-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download