urelas | fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Size

324KB
MD5

ccb3964dd622fcc600a569de60895175
SHA1

ae99f1714cfe9c8811dbd0d6fa28d55189017d75
SHA256

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de
SHA512

af877883057fee997f0da3f0cd229923ab221e6841b84062b5dadf08f42e4d00dd5a1de42a095d4bc51d9a3ecbd9041e952d55a8eb8e0d208fe5dfc563aaa35b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2616	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

kuwoj.exefosoi.exe

pid	Process
3060	kuwoj.exe
1232	fosoi.exe

Loads dropped DLL 2 IoCs

Processes:

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exekuwoj.exe

pid	Process
2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
3060	kuwoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fosoi.exefb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exekuwoj.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fosoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuwoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

fosoi.exe

pid	Process
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe
1232	fosoi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exekuwoj.exe

description	pid	Process	procid_target
PID 2080 wrote to memory of 3060	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	28
PID 2080 wrote to memory of 3060	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	28
PID 2080 wrote to memory of 3060	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	28
PID 2080 wrote to memory of 3060	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	28
PID 2080 wrote to memory of 2616	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	29
PID 2080 wrote to memory of 2616	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	29
PID 2080 wrote to memory of 2616	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	29
PID 2080 wrote to memory of 2616	2080	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	29
PID 3060 wrote to memory of 1232	3060	kuwoj.exe	33
PID 3060 wrote to memory of 1232	3060	kuwoj.exe	33
PID 3060 wrote to memory of 1232	3060	kuwoj.exe	33
PID 3060 wrote to memory of 1232	3060	kuwoj.exe	33

C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
"C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\kuwoj.exe
  "C:\Users\Admin\AppData\Local\Temp\kuwoj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\fosoi.exe
    "C:\Users\Admin\AppData\Local\Temp\fosoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e577ae7de95af5cbc09c3b55681bbc2

SHA1
417fdb014059cab8357a87f8b761cb0d3adc083b

SHA256
df822d01c41a8c4a5177f77c5702d4018863179d071defafc98c400a547f252e

SHA512
2fdb0ed8c97fecfa63576e7f2ce7628302044cf0438d783265bf772fe2730bebcb833f51bb029126864a8171644f0069b1ede2e5a58507449d84629b87f0d691

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
814d6f69a05184ef26b0a61ea2bf9ed2

SHA1
785cbd79580350ce07e29c19f2f01241814e0acb

SHA256
dacc0b6f556e4aab4a8c84898eb12b1a1ad6db49e7c33594480471c9ed1b1578

SHA512
f4da210fb542d79f5a63a7f823f9128c400df7630a105966ac2e1ff7c849add680e1b008c6dab4eb15aad2d940cef8ccc26cf0bea4fa29e5244b0b4584634f9f

Download Submit
\Users\Admin\AppData\Local\Temp\fosoi.exe

Filesize
172KB

MD5
006b6ff33f1818fcf260b97f2691e59d

SHA1
ec30369b66ee54f82035ec08e6b18f251b17be19

SHA256
93b58b4e06e963ce2657d04878f48f409eb16f26158e787ff2bee6b9a30869bd

SHA512
ca58873b2f99234b445060196481001929edbac1ba708362bdeb452c0136cbfe6e8e89df7e88145692104e82d22d5217f92a32dede47b8590e899ecbf37ae941

Download Submit
\Users\Admin\AppData\Local\Temp\kuwoj.exe

Filesize
324KB

MD5
a831bddb3f9f970d82f73c8cf33b8ce2

SHA1
4d81c4aaf2b6019019e6d9d56fe150411ef3ec6c

SHA256
262b88dfec13ecdb92d73f07771fd5b22c0405665705f0aaec1a09e761da0d45

SHA512
decac54378d04eaa0357b73eb3a4dc7a1640ade21bfa95e593473ed7fa18d0ec4a56370ab6a2c6c1fe31ee8bbf524e9eeff2b4884eb07d74875d7464555ec1a4

Download Submit
memory/1232-41-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1232-47-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1232-50-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1232-49-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1232-48-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1232-42-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1232-46-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/2080-7-0x0000000002480000-0x0000000002501000-memory.dmp

Filesize
516KB

Download
memory/2080-21-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download
memory/2080-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2080-0-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download
memory/3060-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3060-39-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/3060-24-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/3060-11-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download