urelas | 19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/10/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
Size

331KB
MD5

76d36293ff75d248d7731b54c3af6c2f
SHA1

ceaccd192b749e542db6dd670e23d97edea1cfc1
SHA256

19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd
SHA512

a2ccec4e795fd15e0b6e7c8dd083adbbbb4186d8e9a07375a76b0cdc41a9fcdfc5b7fe3d0c84058ee7cb2a757f76be76d24e13850d3ee8014eaa2dbee6de8af2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYO:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	daraq.exe
2896	zoxuh.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
1940	daraq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daraq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoxuh.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe
2896	zoxuh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1940	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	30
PID 2440 wrote to memory of 1940	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	30
PID 2440 wrote to memory of 1940	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	30
PID 2440 wrote to memory of 1940	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	30
PID 2440 wrote to memory of 2140	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	31
PID 2440 wrote to memory of 2140	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	31
PID 2440 wrote to memory of 2140	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	31
PID 2440 wrote to memory of 2140	2440	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	31
PID 1940 wrote to memory of 2896	1940	daraq.exe	34
PID 1940 wrote to memory of 2896	1940	daraq.exe	34
PID 1940 wrote to memory of 2896	1940	daraq.exe	34
PID 1940 wrote to memory of 2896	1940	daraq.exe	34

C:\Users\Admin\AppData\Local\Temp\19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
"C:\Users\Admin\AppData\Local\Temp\19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\daraq.exe
  "C:\Users\Admin\AppData\Local\Temp\daraq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\zoxuh.exe
    "C:\Users\Admin\AppData\Local\Temp\zoxuh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
88848f355d4b18a9f30b5c4b46dbbd66

SHA1
3142afcaba6bee37282ecfd847133ae39eca38a9

SHA256
266a75325897c9960293b1b96672f1239df595ff3b0596ac2f7ab77dc494b4f3

SHA512
7bfb79b8362b6b9337fd1e53277cea19de70fe057f2044297f8245144453bd656129e206d2e7fc0e7f1ca5cb5b556b8674863767ed350b5a27c1d6e0adab3a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\daraq.exe

Filesize
331KB

MD5
83c902c0574905d13fe7ba65e280ba28

SHA1
707f96c459b56ad1d56f944e1d026a8bd1f2dd76

SHA256
defe8af534c59855a4ad96def6b5dbf1703312db8c41f26afe4c694a1ecdbcf8

SHA512
c6b3abe35e0257fa79fe1e5f3cd6bf220fc6e01b71393297ef6f65589b232e9ee97ec3355de1a9dfcf7e6c6aea5b51848bc8bdb87976db480341fc62a2802f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
986addcce8b556d6a169650e51163442

SHA1
c77373ad51cca4aead921f2dfaec3d4ba3edff7b

SHA256
8cdea3645a11be43c0a12e18e2bd1b350ba5db71554fb07b85128717939ecac4

SHA512
233f3bb4fef14dc3628d7765fa2c9cb1e2f05ae690ed9f5fc9d46e772bb49d34d582098c51d2d854686c69fe098d132187be6193f646d389cd1bd4458148c8be

Download Submit
\Users\Admin\AppData\Local\Temp\daraq.exe

Filesize
331KB

MD5
209f040b63340986bdb988169d3538d5

SHA1
e2f1acc3519b52d15579f2bf68874335f87a10fc

SHA256
650c56e2c747e83692edfe5bf337d7d346fdaf37119ca51fb79755915e6f0e0f

SHA512
61ac781097ac0f4d70e2124a2f19c403cb72dbf29922c243da0fd8303c145d7fd27759bae1abbc77ab15376f738bf94fdc5c9c60a95e34da30ae4105713a2747

Download Submit
\Users\Admin\AppData\Local\Temp\zoxuh.exe

Filesize
172KB

MD5
5a8d44223a2bb1cafb2d263f2658f188

SHA1
dd494f6ee36fa7b28996f329afd893723bc66b82

SHA256
e63b670c56a14d70499b58685f0bcb10e25e51a9ee94597cac554aac1a106130

SHA512
b781751a74493f01aa7bbebda3c0c27751647f2cfc05ba2c3b4f8d68f2a3f85825a13298051a56c89ee722c858328dcedba09a1718fcbdb02044b5c59e9edf48

Download Submit
memory/1940-38-0x0000000003540000-0x00000000035D9000-memory.dmp

Filesize
612KB

Download
memory/1940-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1940-40-0x0000000000800000-0x0000000000881000-memory.dmp

Filesize
516KB

Download
memory/1940-23-0x0000000000800000-0x0000000000881000-memory.dmp

Filesize
516KB

Download
memory/2440-0-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2440-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2440-7-0x00000000027A0000-0x0000000002821000-memory.dmp

Filesize
516KB

Download
memory/2440-20-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2896-41-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/2896-44-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/2896-47-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/2896-48-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/2896-49-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/2896-50-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/2896-51-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download