urelas | 31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
Size

332KB
MD5

76f5fdf8b29d6d325a2954eb9affd758
SHA1

738271ce6399a06456279ae22117905ab63fe4dc
SHA256

31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4
SHA512

5a3ff505f249bf294e540d1d336a0543f8057bc3b6fa5e7b346f05bf7e88894ef599f11b1ce03e0b81fe66c10ec7ee94bf6c95f7983af5f1ca27b69ac498a090
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr5:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2420	icykt.exe
236	qores.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
2420	icykt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icykt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qores.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe
236	qores.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2420	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 3052 wrote to memory of 2420	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 3052 wrote to memory of 2420	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 3052 wrote to memory of 2420	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	30
PID 3052 wrote to memory of 2836	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 3052 wrote to memory of 2836	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 3052 wrote to memory of 2836	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 3052 wrote to memory of 2836	3052	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	31
PID 2420 wrote to memory of 236	2420	icykt.exe	34
PID 2420 wrote to memory of 236	2420	icykt.exe	34
PID 2420 wrote to memory of 236	2420	icykt.exe	34
PID 2420 wrote to memory of 236	2420	icykt.exe	34

C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
"C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\icykt.exe
  "C:\Users\Admin\AppData\Local\Temp\icykt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\qores.exe
    "C:\Users\Admin\AppData\Local\Temp\qores.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3889d8e2dec2cdfaf98392329730f1b1

SHA1
b95f3baf21f177f97d91a800d2b9f0aef64da9f0

SHA256
353d3edb8e6d4032a387f3a2350280e78859312fa5244af78221c4360ed481ef

SHA512
f748ff35ebd437ef0a6fa93a1929087b9966c68b7f338c5d84c5f5a0f857dd069c75e4ce269e00c51ab19f4feff4c061ab22c1e5dedcf942f259c07e46fddd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f246a966bbb627e84b917b08d25ba8e3

SHA1
b63f194d711378c14b80666c15ac04f0a5c676cc

SHA256
9d380166cc5c030f7c45404b23c11e20815d962d1192013fea7348903075f6b9

SHA512
5dbb08589725914363b4e925c1938b49b11471572b10998882a0c18799bcf3a3b3ddb3e4c1b261871f32a329f3e05a8fd9436c4c70326a09ad6fb06418e05415

Download Submit
\Users\Admin\AppData\Local\Temp\icykt.exe

Filesize
332KB

MD5
f058c84743d0d096e6e758915ab631d9

SHA1
f59d4100d8ad34d300c8a252d7e7822ee054df24

SHA256
f49f89aa989da41aad2f85284af833b560f78f7dd6d74a176256b7ebd13671bd

SHA512
32c71b87d7d3a8d018cf70f35314d83b052506765c0ee5cdaca0b668fc8091d7885ef6bec36f5bc15ea3fc01805280531997bc62b5cc87576c800e4c5b902516

Download Submit
\Users\Admin\AppData\Local\Temp\qores.exe

Filesize
172KB

MD5
bb0d49b68fb251ba2431ebd62dcd310e

SHA1
f32f3f7507f7630cb49e650c5c863b3fb9d7e23a

SHA256
36ba737cb4735f7d9919a906d4b66f2e794a705c15e0a0583f8753fa55d76a81

SHA512
80e294f4dbd17a13c7d4533cd078b28ecf1536c54c98ab35526a496105f78b1318809941696548c8b2357d27074c603d9e99321f5efea6158d096da196095a79

Download Submit
memory/236-52-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/236-51-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/236-50-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/236-49-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/236-48-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/236-44-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/236-43-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/2420-11-0x00000000011C0000-0x0000000001241000-memory.dmp

Filesize
516KB

Download
memory/2420-39-0x00000000037B0000-0x0000000003849000-memory.dmp

Filesize
612KB

Download
memory/2420-42-0x00000000011C0000-0x0000000001241000-memory.dmp

Filesize
516KB

Download
memory/2420-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2420-24-0x00000000011C0000-0x0000000001241000-memory.dmp

Filesize
516KB

Download
memory/2420-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-20-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/3052-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-7-0x00000000026F0000-0x0000000002771000-memory.dmp

Filesize
516KB

Download
memory/3052-0-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download