urelas | 31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Size

330KB
MD5

574b21767e108012461c55b68fa4859a
SHA1

87bc2c0d8a0bc4a557eab7c655af9a25cdd3f509
SHA256

31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae
SHA512

0d56f0ec36795efdff4dbaf7bddbfc3770a130f9c96f25738d5be140b7bb25020d3b9eb62d3e2f4355bc5447fbbfda50ed6f53497892bccba75408cd04947fee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	takuo.exe
2652	boixq.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
2504	takuo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boixq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe
2652	boixq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2504	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	30
PID 3000 wrote to memory of 2504	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	30
PID 3000 wrote to memory of 2504	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	30
PID 3000 wrote to memory of 2504	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	30
PID 3000 wrote to memory of 1900	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	31
PID 3000 wrote to memory of 1900	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	31
PID 3000 wrote to memory of 1900	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	31
PID 3000 wrote to memory of 1900	3000	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	31
PID 2504 wrote to memory of 2652	2504	takuo.exe	34
PID 2504 wrote to memory of 2652	2504	takuo.exe	34
PID 2504 wrote to memory of 2652	2504	takuo.exe	34
PID 2504 wrote to memory of 2652	2504	takuo.exe	34

C:\Users\Admin\AppData\Local\Temp\31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
"C:\Users\Admin\AppData\Local\Temp\31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\takuo.exe
  "C:\Users\Admin\AppData\Local\Temp\takuo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\boixq.exe
    "C:\Users\Admin\AppData\Local\Temp\boixq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6790c30365b383b27826bed40956de20

SHA1
ab049a238e52322795aeab9c00328f2d69be60f9

SHA256
b8f9042e725b4b36536392412402f49ca2a8e496e2663cd86e29e1b7f989c446

SHA512
94f7ddc9b4c77ce0dd2e2e40c0e6fda5a9598cfc1fb2630d016b4cb3b879eec80a5a8832843fce53b0ff0282fdafa734d1675e3de49b7b6bd9fd590a06bf3646

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2d879fc556527d8db010724db1940065

SHA1
08da9790d0509d95f04f2c04d8b0f485970ffb1d

SHA256
7fc37fb6317eca78be3cd6f573ef77b3e2234763102b2ab60aa65b9617c9f458

SHA512
8fbde84a6ea64024487a8924008694009dd7aa882d0166fa38344fd2725214a037bf5fda8224d28c0b3b76de3faf0af9c834eb031357caa79889f1e486e8eca3

Download Submit
\Users\Admin\AppData\Local\Temp\boixq.exe

Filesize
172KB

MD5
e9fe9ee6e7488c41ffa11c11fc869ce0

SHA1
a3e3122009c29860d1381894faf313cf12717c8a

SHA256
3971d456d9b4147d3fa962fba40f7605239cde6975cca819db3093c5caf76de8

SHA512
25a987fd53ccab3ab1449bc4c5da7a0ab079703b48af421d9bca81d67e7b4ffbbbae0e0297d5db55103227efe40adbd612815d7dd1a634cfd96e3cf60a1c61b1

Download Submit
\Users\Admin\AppData\Local\Temp\takuo.exe

Filesize
330KB

MD5
a73071b6991bf558ce23d2969ebfea85

SHA1
d7d33e5effe646b3f31b880ae387f7732e47a4cc

SHA256
6546c96402b0a2dd08df03313fba39c8be13698436597dfbc657195069455e3c

SHA512
6c6652e4247ddbf0e661f1aeda5fd632a6949913042d672bd587a4752613a063133c6bae3151e893cca83d68b9064fa1bd3bfaaf217d07ffb6777a3ec3962c26

Download Submit
memory/2504-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2504-23-0x00000000008D0000-0x0000000000951000-memory.dmp

Filesize
516KB

Download
memory/2504-40-0x00000000008D0000-0x0000000000951000-memory.dmp

Filesize
516KB

Download
memory/2504-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2652-46-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Filesize
612KB

Download
memory/2652-41-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Filesize
612KB

Download
memory/2652-42-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Filesize
612KB

Download
memory/2652-47-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Filesize
612KB

Download
memory/2652-48-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Filesize
612KB

Download
memory/2652-49-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Filesize
612KB

Download
memory/2652-50-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Filesize
612KB

Download
memory/3000-0-0x00000000000B0000-0x0000000000131000-memory.dmp

Filesize
516KB

Download
memory/3000-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3000-20-0x00000000000B0000-0x0000000000131000-memory.dmp

Filesize
516KB

Download
memory/3000-7-0x0000000002480000-0x0000000002501000-memory.dmp

Filesize
516KB

Download