urelas | 57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Size

330KB
MD5

8ed8fe4236bd3275ca6fb53ea7adeef0
SHA1

af97463ad45ec8f778be83b82909e222c0076265
SHA256

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2
SHA512

9e0992b9ae3b18ce3e0daabf36b6e92dc56156ecc291a5c1eafa16b47e60fe99b4766829b45dfe99cfac2fb2fce35507ee8bcea5610db7220428c98328874a20
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2968	wokuk.exe
1676	ufvoi.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
2968	wokuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wokuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ufvoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe
1676	ufvoi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2968	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2336 wrote to memory of 2968	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2336 wrote to memory of 2968	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2336 wrote to memory of 2968	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2336 wrote to memory of 3048	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	32
PID 2336 wrote to memory of 3048	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	32
PID 2336 wrote to memory of 3048	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	32
PID 2336 wrote to memory of 3048	2336	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	32
PID 2968 wrote to memory of 1676	2968	wokuk.exe	35
PID 2968 wrote to memory of 1676	2968	wokuk.exe	35
PID 2968 wrote to memory of 1676	2968	wokuk.exe	35
PID 2968 wrote to memory of 1676	2968	wokuk.exe	35

C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
"C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\wokuk.exe
  "C:\Users\Admin\AppData\Local\Temp\wokuk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\ufvoi.exe
    "C:\Users\Admin\AppData\Local\Temp\ufvoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6e8d954fb1dddba6478e87ba0e58a3b0

SHA1
e7093781d87eca308159a1d1bbd32fe190fc967a

SHA256
4caa108699460495771fe7f2890e821a4fd25a7bd18072f13b57ee25fccf7a5e

SHA512
09ec249e5465ef9c9c89d9a67fbdaa1ed3aa96da2e947262f5ba95cbba7f9b70afec9bcea5a406727d3df6f9a489dcaf10cc89d6c2dc065a04dd59f645654cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4c721bea7d71b1dbef617adb0ac01fd0

SHA1
991c000ab1139990ecff484b9a116b28b18ebd0a

SHA256
154ac12e9a0b7579e64eac9e95ed101a6da88c2304d8f4a1223095d81e259487

SHA512
3d3b801b398ea714b4736cbec98a2def3a28703cd96d086e9b8c0165a31168bb5803971a91bbe2720dcd42df669fb61733cac66351d5e08d91051c36ca88f0ee

Download Submit
\Users\Admin\AppData\Local\Temp\ufvoi.exe

Filesize
172KB

MD5
d44a6567beef445aa00aba179b03ee15

SHA1
850ffac866f53e12c872c08f5a6258166a74cd3e

SHA256
b7b6aa38829807b6d319ed0bcfebbc2a9c4a3cd7ce69ba05612a04e68ffca180

SHA512
dc3b03cb2fdc1e6d084d62e5c9e551cf4456f83fd21c762fd81781a4b8ed11ffca63078e25fb9868ec80a39d0227815c5bb6d4748678349091c7fe9e362d037e

Download Submit
\Users\Admin\AppData\Local\Temp\wokuk.exe

Filesize
330KB

MD5
95dc4ed189032f6d165c07898c2371f6

SHA1
d1b11d2b246049d7bf6f955e89df2b2b32f7e404

SHA256
30ac718bf133f6915acb4026bc034a20dd58da7234eeded0a5570857d2574b64

SHA512
6b09b64c061c9dd77b82515c2466c57c2811343deef5f94019c9754adc84c0fcfe822314f9f3984c666cf9dc9cd4a54b16a46a7f0b8ef47defd710e63ba27cbf

Download Submit
memory/1676-46-0x0000000000D80000-0x0000000000E19000-memory.dmp

Filesize
612KB

Download
memory/1676-44-0x0000000000D80000-0x0000000000E19000-memory.dmp

Filesize
612KB

Download
memory/1676-50-0x0000000000D80000-0x0000000000E19000-memory.dmp

Filesize
612KB

Download
memory/1676-49-0x0000000000D80000-0x0000000000E19000-memory.dmp

Filesize
612KB

Download
memory/1676-48-0x0000000000D80000-0x0000000000E19000-memory.dmp

Filesize
612KB

Download
memory/1676-47-0x0000000000D80000-0x0000000000E19000-memory.dmp

Filesize
612KB

Download
memory/1676-41-0x0000000000D80000-0x0000000000E19000-memory.dmp

Filesize
612KB

Download
memory/2336-18-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download
memory/2336-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2336-0-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download
memory/2336-9-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/2968-39-0x0000000003EA0000-0x0000000003F39000-memory.dmp

Filesize
612KB

Download
memory/2968-38-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2968-23-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2968-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2968-19-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download