urelas | d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/10/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
Size

332KB
MD5

b8017c01f42eb5dc5abf267902d2168b
SHA1

4966c9e8caf87d844cdc8174a9d17f5865703042
SHA256

d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8
SHA512

d5f64d8653189f87a8d31a63ebc68d80a2d9b47686c8eab14dd440b64d4427cb4cb664ce5eb275381e8b28fc1f7bbe32998ffe5942ff7cee5241dfd7bc9a0d67
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVQ:vHW138/iXWlK885rKlGSekcj66ciEQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	jokoc.exe
668	wyexx.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
2712	jokoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jokoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyexx.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe
668	wyexx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2712	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	31
PID 2844 wrote to memory of 2712	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	31
PID 2844 wrote to memory of 2712	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	31
PID 2844 wrote to memory of 2712	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	31
PID 2844 wrote to memory of 2688	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	32
PID 2844 wrote to memory of 2688	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	32
PID 2844 wrote to memory of 2688	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	32
PID 2844 wrote to memory of 2688	2844	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	32
PID 2712 wrote to memory of 668	2712	jokoc.exe	35
PID 2712 wrote to memory of 668	2712	jokoc.exe	35
PID 2712 wrote to memory of 668	2712	jokoc.exe	35
PID 2712 wrote to memory of 668	2712	jokoc.exe	35

C:\Users\Admin\AppData\Local\Temp\d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
"C:\Users\Admin\AppData\Local\Temp\d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\jokoc.exe
  "C:\Users\Admin\AppData\Local\Temp\jokoc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\wyexx.exe
    "C:\Users\Admin\AppData\Local\Temp\wyexx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
97ac3213777bb973b4a206e67455a7e3

SHA1
f20da8a66d33439a1d4c85ab872d70f97ed4c8bb

SHA256
a3273afa5970391d71c2328123e5daa4e4f0bf348036b2534b6d92a9bf87ec9b

SHA512
4ff2ea54706d3c9ab14f5fcd2ba7299fc7763a605436ba0c83a9f381d49e9f7e99685a744565970477b24d9cc92fd92a274de859a9d3c5a5df9cdc14cb0f20e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2473ac1735ffd02f58d106f154b81586

SHA1
8f05a355db2ae688258b7a8d45b6302b94835559

SHA256
f3580472525d729347b4a788294f1fc8c29902a1006519dcda154e78646d0630

SHA512
9e0cd1730712430b7e1392721d0a1fa5ace11403e6f5d5bc47b282f61babf87c0d56b3cd79579b90976c3d60d6e8a944c0db8cdf542b21342ef978f6e0ef1273

Download Submit
C:\Users\Admin\AppData\Local\Temp\jokoc.exe

Filesize
332KB

MD5
ae716c113d6204593f2f80a4d3d6d945

SHA1
350c659486a764b63f8699508c323f4dfa1d0aae

SHA256
8cbc96be4e5c07d190838926bb8fd2be66d13e4f60f9269e4e103ba4c930ca50

SHA512
784117d24d1f0b21f89ce8452a4c60a9cdc4aae535de26cf34a71712eeb2b8f051321840a48543c940e7f847a0cbd68a362ecf4e9349c4e7b93177398b9ef499

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyexx.exe

Filesize
172KB

MD5
38591a2590b076e571ee9bfc54595ddb

SHA1
9a388544e5d99980efd8ccbc1c064eca2a7d2db7

SHA256
42629c119653de4bf8529237b28d5c87aa0bc6168ded004615c9879e140002ac

SHA512
ae75f5cce22f836909e791ab2f03518ded1aad090b1aa4601c5b386eb8f95af68f32b2c373014679536d84da29490c56fcb8019557344c32395283e538665323

Download Submit
\Users\Admin\AppData\Local\Temp\jokoc.exe

Filesize
332KB

MD5
c68a037afde85de4de89e89803b377cf

SHA1
5ffffd3c047088b53abf6b6395ae70c05c6e7192

SHA256
c08660c0e44afc9771e5f90885542b030e32d4231fdb5ce5856ab9a496ba12e5

SHA512
ec65615c1682381c64bcbe3b0bbb5052d5abd1444bbe3511fe96874dcebb1e7b69a92cc352bf9e9a4b614ad806bf678244d687ed5e74ed0c55cb036314506f82

Download Submit
memory/668-51-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/668-50-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/668-49-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/668-48-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/668-47-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/668-42-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/2712-38-0x00000000032E0000-0x0000000003379000-memory.dmp

Filesize
612KB

Download
memory/2712-40-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/2712-24-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/2712-11-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/2712-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2844-21-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/2844-9-0x0000000001050000-0x00000000010D1000-memory.dmp

Filesize
516KB

Download
memory/2844-0-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download