urelas | 62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Size

333KB
MD5

a08624aa8369a8873d683590fb3f0fed
SHA1

75cb37084b41f2cfc3d9e4ec990a19631375e2b4
SHA256

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778
SHA512

7431757670d2359ff3fe8a4ca2319ca09e1f3fafb769e3e6c91fdd47d69e978362fcea45995723435fd13bcc3b133a6300cba392659d6a068487d66023639088
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9P:vHW138/iXWlK885rKlGSekcj66ciWP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2032	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

wyniz.exefuful.exe

pid	Process
1628	wyniz.exe
484	fuful.exe

Loads dropped DLL 2 IoCs

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exewyniz.exe

pid	Process
1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
1628	wyniz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exewyniz.execmd.exefuful.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyniz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuful.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

fuful.exe

pid	Process
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe
484	fuful.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exewyniz.exe

description	pid	Process	procid_target
PID 1976 wrote to memory of 1628	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	30
PID 1976 wrote to memory of 1628	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	30
PID 1976 wrote to memory of 1628	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	30
PID 1976 wrote to memory of 1628	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	30
PID 1976 wrote to memory of 2032	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	31
PID 1976 wrote to memory of 2032	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	31
PID 1976 wrote to memory of 2032	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	31
PID 1976 wrote to memory of 2032	1976	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	31
PID 1628 wrote to memory of 484	1628	wyniz.exe	34
PID 1628 wrote to memory of 484	1628	wyniz.exe	34
PID 1628 wrote to memory of 484	1628	wyniz.exe	34
PID 1628 wrote to memory of 484	1628	wyniz.exe	34

C:\Users\Admin\AppData\Local\Temp\62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
"C:\Users\Admin\AppData\Local\Temp\62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\wyniz.exe
  "C:\Users\Admin\AppData\Local\Temp\wyniz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\fuful.exe
    "C:\Users\Admin\AppData\Local\Temp\fuful.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
ea2c3ad2177becefa293d8bff004fd8d

SHA1
84685598abf20b1813b4c475d5053b1969980504

SHA256
d8a231e7959ce5232dfbb8c2501c5fbdfbf669a2226e9a3a8eec2ee7cf6d0dd7

SHA512
5b27e8434474413af8ec35ee473cde03c9084420956861f22c81350ec572f70b6809ebbae2e7ccfdf2431149df730e9564f8e2456d72665fb364b86859c04ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
08a1902ed7376da7b66b5a68d4d60e1e

SHA1
f57133d780996baf7bc0c4e23978acb65cc1aea4

SHA256
c1421a79eed355334c1bbae6abdff0ed8dbb6ec49d343e35d508992a62e7bd5d

SHA512
f2fda8a2481a18b0bf5a974519b503385e376a8617c3e16ebc972b4bfc651107ce83557251623f14c1ae1518f6edea9be810d94a1b09798e7ef9fb916f6ed8a9

Download Submit
\Users\Admin\AppData\Local\Temp\fuful.exe

Filesize
172KB

MD5
33fe2dc79a944a395a8ffe111fa0adb7

SHA1
f3be1302c4364286e5f87d1aca885d45a30164a4

SHA256
9419b3f954cb733f0e2abe07c5850f9c9ca518feec0efeeb070374b02e920e86

SHA512
d5d9383da2729da9b80afd2fe4fff3cc114e1f6d1680072e75919866c1c13641ffc889ac24237b21dd44b178b5b91b33d43ec84ca9633ea3f0be30ac6a40bbac

Download Submit
\Users\Admin\AppData\Local\Temp\wyniz.exe

Filesize
333KB

MD5
b27a92d0b21a2d426adb11cc04dc25ba

SHA1
e926c398fb88136802a5fd6567040e962d1e9c78

SHA256
276a617baec64c160fb9f9c46975bad4ed71285a01f015d493b3a053caad0bd5

SHA512
ab9b6d3c56b6c967ef0bec1343b577fa9df9f16104a804f6d0ff839b6852dab9e0e95b4ade5fef51a568e6dd86e18997545185aab5a2ac355d6d2291eface451

Download Submit
memory/484-47-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/484-41-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/484-51-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/484-50-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/484-49-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/484-48-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/484-40-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/1628-39-0x0000000003210000-0x00000000032A9000-memory.dmp

Filesize
612KB

Download
memory/1628-45-0x00000000008E0000-0x0000000000961000-memory.dmp

Filesize
516KB

Download
memory/1628-18-0x00000000008E0000-0x0000000000961000-memory.dmp

Filesize
516KB

Download
memory/1628-24-0x00000000008E0000-0x0000000000961000-memory.dmp

Filesize
516KB

Download
memory/1628-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1976-0-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/1976-9-0x00000000026B0000-0x0000000002731000-memory.dmp

Filesize
516KB

Download
memory/1976-21-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download