urelas | b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Size

332KB
MD5

64ac1bc4ca221ef927c0f5b570dd2b80
SHA1

157f3607b64b7a69cc3b85ae3e6fb0855dfb9185
SHA256

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12
SHA512

9a329ce8c12e83cf96aa821bc0d68ee107e388d99e8dc9eaca8d55bf9f62e54d48fbcba4619999925917a62372d3d931fb1a4dc4872c7e94ac516b88830f023b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ciN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2848	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

uvsuq.exedyefc.exe

pid	Process
2608	uvsuq.exe
2348	dyefc.exe

Loads dropped DLL 2 IoCs

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exeuvsuq.exe

pid	Process
2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
2608	uvsuq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exeuvsuq.execmd.exedyefc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvsuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyefc.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

dyefc.exe

pid	Process
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe
2348	dyefc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exeuvsuq.exe

description	pid	Process	procid_target
PID 2920 wrote to memory of 2608	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	28
PID 2920 wrote to memory of 2608	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	28
PID 2920 wrote to memory of 2608	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	28
PID 2920 wrote to memory of 2608	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	28
PID 2920 wrote to memory of 2848	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	29
PID 2920 wrote to memory of 2848	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	29
PID 2920 wrote to memory of 2848	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	29
PID 2920 wrote to memory of 2848	2920	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	29
PID 2608 wrote to memory of 2348	2608	uvsuq.exe	33
PID 2608 wrote to memory of 2348	2608	uvsuq.exe	33
PID 2608 wrote to memory of 2348	2608	uvsuq.exe	33
PID 2608 wrote to memory of 2348	2608	uvsuq.exe	33

C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
"C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\uvsuq.exe
  "C:\Users\Admin\AppData\Local\Temp\uvsuq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\dyefc.exe
    "C:\Users\Admin\AppData\Local\Temp\dyefc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8a72da537d856fe39cf196e33d506de4

SHA1
b3fe8a6999f910b62a54af43f93dd9387b3fdc03

SHA256
91eb2480d34d1e3f221e5a8f319619ce6d11b48561cc12a3a543ea352d5885b3

SHA512
f0324a89c320b64025d33d904bd7de35e04ea761360d5fd79d3319d3872c001c4c743ee621b2aca5494a1f4f1428de026029d046fdcba395dc5fc724b06a3cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af2e0e2d19119a217c36a295ac5d1266

SHA1
2880492f2e53d9f97dd2f0b194dda63a9ef8e117

SHA256
8e33789224267251156601bbcce24b34e377e26423820079838eb7bfb70e0265

SHA512
c5092de521117879e5aef0760471ab76dd2ccbece52240ff83d41c8f03822d6f5618aa9b7046682cec945f0df66087965258854a091d50c31ea3eca18be808f5

Download Submit
\Users\Admin\AppData\Local\Temp\dyefc.exe

Filesize
172KB

MD5
1a18fe5171e7dd4fe29df4178ec34ebb

SHA1
526d71247403b1c75a4f36ea84a8943fa8681ae1

SHA256
1163c85e7e5847082c4c8d417a6e504e251346b8b1b7f7901e9a22e60a1c51a7

SHA512
4a65eb91f1ccc18cc4bfdb106193c987811eaaa3facba2d8cc7ad1f6ae4db13109ee7a3d368c3c617cd7a3ca60cffff91a1a4d0999fa659bcfd6b9bba48345fe

Download Submit
\Users\Admin\AppData\Local\Temp\uvsuq.exe

Filesize
332KB

MD5
4e121f68c64cf6d0321f6488adf62799

SHA1
236ab8187c39c8390feaa2424c4b77d3258cfcf6

SHA256
cb9f332c8a1633d327145f9786cf812ff6ce5bd464c794d341c396e7ef1e32a7

SHA512
c91f8663a276158bcf0ad32868de66924849cb694f98e9884e9a17ebb217dfa5f9c94b535a36940e2274460c249671b8c88062b98757b63f61ea2509ca44f5e8

Download Submit
memory/2348-41-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/2348-50-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/2348-49-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/2348-48-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/2348-47-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/2348-46-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/2348-42-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/2608-11-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2608-40-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2608-24-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2608-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2920-21-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2920-0-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2920-7-0x0000000002850000-0x00000000028D1000-memory.dmp

Filesize
516KB

Download
memory/2920-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download