urelas | 4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
Size

356KB
MD5

89280f71892759a8b5d330cbed1a6b9c
SHA1

94fc6560599b5020fb558500a094394a5c85af8c
SHA256

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75
SHA512

fed9aaf4e187023a341fbb4e785105b436d6f5d6501fa31b2841c87f65b06c37260dff6608671316783ad8dad84e620e190b87e0bfa686a821ad178d0ec03118
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0h:MUyI6QmPPPqVsps

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1176	xeniq.exe
2844	anipvo.exe
2808	jubuh.exe

Loads dropped DLL 5 IoCs

pid	Process
2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
1176	xeniq.exe
1176	xeniq.exe
2844	anipvo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jubuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeniq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anipvo.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe
2808	jubuh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1176	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2560 wrote to memory of 1176	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2560 wrote to memory of 1176	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2560 wrote to memory of 1176	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2560 wrote to memory of 1900	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	32
PID 2560 wrote to memory of 1900	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	32
PID 2560 wrote to memory of 1900	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	32
PID 2560 wrote to memory of 1900	2560	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	32
PID 1176 wrote to memory of 2844	1176	xeniq.exe	34
PID 1176 wrote to memory of 2844	1176	xeniq.exe	34
PID 1176 wrote to memory of 2844	1176	xeniq.exe	34
PID 1176 wrote to memory of 2844	1176	xeniq.exe	34
PID 2844 wrote to memory of 2808	2844	anipvo.exe	36
PID 2844 wrote to memory of 2808	2844	anipvo.exe	36
PID 2844 wrote to memory of 2808	2844	anipvo.exe	36
PID 2844 wrote to memory of 2808	2844	anipvo.exe	36
PID 2844 wrote to memory of 2504	2844	anipvo.exe	37
PID 2844 wrote to memory of 2504	2844	anipvo.exe	37
PID 2844 wrote to memory of 2504	2844	anipvo.exe	37
PID 2844 wrote to memory of 2504	2844	anipvo.exe	37

C:\Users\Admin\AppData\Local\Temp\4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
"C:\Users\Admin\AppData\Local\Temp\4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\xeniq.exe
  "C:\Users\Admin\AppData\Local\Temp\xeniq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\anipvo.exe
    "C:\Users\Admin\AppData\Local\Temp\anipvo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\jubuh.exe
      "C:\Users\Admin\AppData\Local\Temp\jubuh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
43b5e1b182ac03467b86aded3bc35ae7

SHA1
beab788562f4689e9f1d08089073326853990bfb

SHA256
d6f55602d33a59eff0bc28cad81fa87407e9e5c51c6fd707c9fb83e3df16f8fe

SHA512
25cc7e7c37877a841109d0b000808846696791d5af30e4909ab918f145b2b719b6de7388a7d893e211ffa635c62935311f3cea6628391abf3c71dbdfac428976

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
590ea9512fc3295735349237ce437b5b

SHA1
aaebb7caca93108e1cc58ad65361f44ae607d05d

SHA256
185a1f7cc2a82582b03a01e90c1dff1fd5090a8c3cf1a8b26ef99d1984c29425

SHA512
80790b88cf899445facca0205df161749019296e103eef368accb1ef34893979420d6b818fa3aa342e28f23a53866c28c5a990541f3bc81392f812bb3ff81431

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
73be872079aeae15943d3b8a7bf8b80c

SHA1
305129c86947a7ff5c1fcced7650b8a1f317da80

SHA256
85979505c2309432012f0f2970ae816205242cf6e238209cf3cfce3261042c9c

SHA512
cadd870e5d3fd115aa128a5ff2cc5327c15346a9779398c42e57085e003f38cdf079b7c5e667e1e8df9c797d00d0747c0783133c9c039d8e7d157ddc28e268c8

Download Submit
\Users\Admin\AppData\Local\Temp\jubuh.exe

Filesize
107KB

MD5
d6ce2ecd5aa2f2d7b9f09a12c3065114

SHA1
77986e30084c4e27bee7773d73fb05340ed6736b

SHA256
dff80f3f293fb779f91da141dd717220c9ff4d047345d4a7cf7dfcbc1d5ccc69

SHA512
84cc3a65d9727cba9498211a36131883fcb7b119f31bf746c58c0cc4bbb78a1774db1aea1e2bc59262e914a19fb97a1baaafe38592012716a036a0285c5fe56e

Download Submit
\Users\Admin\AppData\Local\Temp\xeniq.exe

Filesize
356KB

MD5
f57522aa7f669ca0f4e0b1965da8e907

SHA1
fe729cc379caa34ecca6d04b7feeac71f6015f17

SHA256
58f7f6df78b4ba2d374b687748b2216ad9117f1e1354263f6dfa1894d0dd64cc

SHA512
ff7f1f59b0296071a20c773d686fff2cf5987d8e883092c152158e7895c9ac783310770601f6ba1dd7908e163ddcc0727f13df516696b450167639623d9b3dec

Download Submit
memory/1176-33-0x0000000001EE0000-0x0000000001F39000-memory.dmp

Filesize
356KB

Download
memory/1176-34-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1176-32-0x0000000001EE0000-0x0000000001F39000-memory.dmp

Filesize
356KB

Download
memory/2560-12-0x00000000029F0000-0x0000000002A49000-memory.dmp

Filesize
356KB

Download
memory/2560-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2560-10-0x00000000029F0000-0x0000000002A49000-memory.dmp

Filesize
356KB

Download
memory/2560-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2808-63-0x0000000001090000-0x0000000001115000-memory.dmp

Filesize
532KB

Download
memory/2808-47-0x0000000001090000-0x0000000001115000-memory.dmp

Filesize
532KB

Download
memory/2808-58-0x0000000001090000-0x0000000001115000-memory.dmp

Filesize
532KB

Download
memory/2808-59-0x0000000001090000-0x0000000001115000-memory.dmp

Filesize
532KB

Download
memory/2808-60-0x0000000001090000-0x0000000001115000-memory.dmp

Filesize
532KB

Download
memory/2808-61-0x0000000001090000-0x0000000001115000-memory.dmp

Filesize
532KB

Download
memory/2808-62-0x0000000001090000-0x0000000001115000-memory.dmp

Filesize
532KB

Download
memory/2844-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2844-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2844-43-0x0000000003B50000-0x0000000003BD5000-memory.dmp

Filesize
532KB

Download