urelas | 5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893

Analysis

max time kernel
149s
max time network
83s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Size

331KB
MD5

2f0ef1635939f533b6748635655ec64a
SHA1

d11dea3716c70cc1d3958280a4b5093670fe4a87
SHA256

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893
SHA512

cb3d74d99dd0c5a2599ee836a1155ae7485483e6a4f5ebdab90e1f2dad917da66187ce2a9190659e7e9f18f4b6063d1d09f0e1f49aacbd5fa1329b081e05e0e6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVn:vHW138/iXWlK885rKlGSekcj66ciEn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2992	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

huict.exenerie.exe

pid	Process
2216	huict.exe
2132	nerie.exe

Loads dropped DLL 2 IoCs

Processes:

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exehuict.exe

pid	Process
2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
2216	huict.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exenerie.exe5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exehuict.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nerie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huict.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

nerie.exe

pid	Process
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe
2132	nerie.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exehuict.exe

description	pid	Process	procid_target
PID 2328 wrote to memory of 2216	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	29
PID 2328 wrote to memory of 2216	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	29
PID 2328 wrote to memory of 2216	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	29
PID 2328 wrote to memory of 2216	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	29
PID 2328 wrote to memory of 2992	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2328 wrote to memory of 2992	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2328 wrote to memory of 2992	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2328 wrote to memory of 2992	2328	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2216 wrote to memory of 2132	2216	huict.exe	32
PID 2216 wrote to memory of 2132	2216	huict.exe	32
PID 2216 wrote to memory of 2132	2216	huict.exe	32
PID 2216 wrote to memory of 2132	2216	huict.exe	32

C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
"C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\huict.exe
  "C:\Users\Admin\AppData\Local\Temp\huict.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\nerie.exe
    "C:\Users\Admin\AppData\Local\Temp\nerie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c22be246c83b4a82251d635b9db17513

SHA1
777b281a4961eadfb262683d1bc1831f6dba5e6a

SHA256
c82836682e0e4cddb5d93844038ef76e48d0568a0aa64591e274ab76d8cf23d4

SHA512
2c2748c0d4bd8ab8cb0049fc18acdc8fa21e9576e88bf54e106ced12417f799d1d475d0762c6084009a0275cadbd05ba40b55d5cdb08122642d67475aeb9de32

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
52513a472e9c1f97a4add2fb40fe8a26

SHA1
c928ab1751721b9fcf6836acbe06fb22696e2c39

SHA256
f40915d784f6f2c4d85ee18e16d65f0c7b896b705d5025f4eef130898b57c10b

SHA512
afc60e42632934bbbd81dbf953a4149f61edfd12f80d8bcb6e4b4fcec6ecc97ebaae30a691cef3fb11699d912792ae03d71f22bc833374a9b5af7f3be2852a50

Download Submit
\Users\Admin\AppData\Local\Temp\huict.exe

Filesize
331KB

MD5
c26b9fd402873060cb72cea782a43ded

SHA1
7b3c190a2989e1014232d6bf8dedf12c8e5314bd

SHA256
692787ea04723f236bff6e27b9a40c5fdb1ede832ece5ec497aab8c5bc8dc30f

SHA512
523c83a0a11fe02636a2ac56cbc11b3605f559de6aa98e9f173d7285364812cf13166d0cb9f65b3da5d0fc103f1128be998e44510fdc70f5d002581b325eb808

Download Submit
\Users\Admin\AppData\Local\Temp\nerie.exe

Filesize
172KB

MD5
6ea2be723299ba3bf250a0f386b0e75e

SHA1
39069e735f4d5655c6ab83b577b4f05b4b96dfff

SHA256
50c0d6189b6198c4464295f2e4707018384b49887bf1010818718947eec993d9

SHA512
1ad2ce9c07e486c5b17675c3393735951f1fefa5953e09ff67e19de8d43dc1f84a61646479d7e6b01d6622f279ab5a3d93a2bcef6d65302f9afed67bf300f00a

Download Submit
memory/2132-42-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2132-41-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2132-50-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2132-49-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2132-48-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2132-47-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2132-46-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2216-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2216-40-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/2216-24-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/2216-17-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/2328-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2328-0-0x00000000002F0000-0x0000000000371000-memory.dmp

Filesize
516KB

Download
memory/2328-21-0x00000000002F0000-0x0000000000371000-memory.dmp

Filesize
516KB

Download
memory/2328-8-0x0000000002660000-0x00000000026E1000-memory.dmp

Filesize
516KB

Download