urelas | 31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
Size

332KB
MD5

76f5fdf8b29d6d325a2954eb9affd758
SHA1

738271ce6399a06456279ae22117905ab63fe4dc
SHA256

31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4
SHA512

5a3ff505f249bf294e540d1d336a0543f8057bc3b6fa5e7b346f05bf7e88894ef599f11b1ce03e0b81fe66c10ec7ee94bf6c95f7983af5f1ca27b69ac498a090
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr5:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	zuilc.exe
864	goesf.exe

Loads dropped DLL 2 IoCs

pid	Process
2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
2896	zuilc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goesf.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe
864	goesf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2896	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 2484 wrote to memory of 2896	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 2484 wrote to memory of 2896	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 2484 wrote to memory of 2896	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 2484 wrote to memory of 3004	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 2484 wrote to memory of 3004	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 2484 wrote to memory of 3004	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 2484 wrote to memory of 3004	2484	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 2896 wrote to memory of 864	2896	zuilc.exe	34
PID 2896 wrote to memory of 864	2896	zuilc.exe	34
PID 2896 wrote to memory of 864	2896	zuilc.exe	34
PID 2896 wrote to memory of 864	2896	zuilc.exe	34

C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
"C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\zuilc.exe
  "C:\Users\Admin\AppData\Local\Temp\zuilc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\goesf.exe
    "C:\Users\Admin\AppData\Local\Temp\goesf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3889d8e2dec2cdfaf98392329730f1b1

SHA1
b95f3baf21f177f97d91a800d2b9f0aef64da9f0

SHA256
353d3edb8e6d4032a387f3a2350280e78859312fa5244af78221c4360ed481ef

SHA512
f748ff35ebd437ef0a6fa93a1929087b9966c68b7f338c5d84c5f5a0f857dd069c75e4ce269e00c51ab19f4feff4c061ab22c1e5dedcf942f259c07e46fddd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
03736843a92c180a9b4bd7c6528e10a5

SHA1
1a91e5366e9ac7b6f2d4ffbbd514f631a12134df

SHA256
5097bf494a5b06f14e56c731e42e6d994d085b3d1edbf17b4a53c6383f6938d5

SHA512
e67995dc638727f78f115a1621d6832f84f0d8d07fda9da0e4d924e96dc2bdca33ef41e9e8ea56bd42597354c5c023fc91837f84afe1c3e4ac55cdbb1f2be537

Download Submit
\Users\Admin\AppData\Local\Temp\goesf.exe

Filesize
172KB

MD5
1cb2f4a32ecc860ec377663c6766a474

SHA1
06b3be9eaffdee0e03f89b2eab003460d35376d8

SHA256
abe37e42d8a66c4f77f1fa5b042c494d7df97627b904824178a095441cb2e591

SHA512
eb652c92dcd193e3845a43d89e9b11b6dcb696a8ac63efb2ef14ab87b5bad3ac7f004b83a871bdd56eb3697fd142e80fdb8c6b3c0cad412f2a44d6edc7cf9933

Download Submit
\Users\Admin\AppData\Local\Temp\zuilc.exe

Filesize
332KB

MD5
8cb8ad53f353a46851756a4d8320ba31

SHA1
35322b9d72662b640a71a2ad5ae1812e90545660

SHA256
68aefd5d4863f4cfb652b32d46e6dbc246c0228f3c5a0aefe92619e6c48dd57b

SHA512
17a5f572dd7890c884cd9905c38499e245a5ca7eb5427dccfe65b2e08a94d4c3d619870da6737ea2c7a93cf134508a1f78171e21b5bc0dc95b188291f3bca572

Download Submit
memory/864-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/864-50-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/864-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/864-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/864-41-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/864-42-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/864-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2484-0-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download
memory/2484-20-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download
memory/2484-10-0x0000000002690000-0x0000000002711000-memory.dmp

Filesize
516KB

Download
memory/2484-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2896-38-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2896-40-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2896-11-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2896-23-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2896-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download