urelas | 5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893

Analysis

max time kernel
149s
max time network
83s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Size

331KB
MD5

2f0ef1635939f533b6748635655ec64a
SHA1

d11dea3716c70cc1d3958280a4b5093670fe4a87
SHA256

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893
SHA512

cb3d74d99dd0c5a2599ee836a1155ae7485483e6a4f5ebdab90e1f2dad917da66187ce2a9190659e7e9f18f4b6063d1d09f0e1f49aacbd5fa1329b081e05e0e6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVn:vHW138/iXWlK885rKlGSekcj66ciEn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	nibyz.exe
2860	adatt.exe

Loads dropped DLL 2 IoCs

pid	Process
2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
2928	nibyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adatt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nibyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe
2860	adatt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2928	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2476 wrote to memory of 2928	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2476 wrote to memory of 2928	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2476 wrote to memory of 2928	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	30
PID 2476 wrote to memory of 2828	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	31
PID 2476 wrote to memory of 2828	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	31
PID 2476 wrote to memory of 2828	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	31
PID 2476 wrote to memory of 2828	2476	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	31
PID 2928 wrote to memory of 2860	2928	nibyz.exe	34
PID 2928 wrote to memory of 2860	2928	nibyz.exe	34
PID 2928 wrote to memory of 2860	2928	nibyz.exe	34
PID 2928 wrote to memory of 2860	2928	nibyz.exe	34

C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
"C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\nibyz.exe
  "C:\Users\Admin\AppData\Local\Temp\nibyz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\adatt.exe
    "C:\Users\Admin\AppData\Local\Temp\adatt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c22be246c83b4a82251d635b9db17513

SHA1
777b281a4961eadfb262683d1bc1831f6dba5e6a

SHA256
c82836682e0e4cddb5d93844038ef76e48d0568a0aa64591e274ab76d8cf23d4

SHA512
2c2748c0d4bd8ab8cb0049fc18acdc8fa21e9576e88bf54e106ced12417f799d1d475d0762c6084009a0275cadbd05ba40b55d5cdb08122642d67475aeb9de32

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b3e0817119d7a68e887bb8a6aea55b32

SHA1
fe3938df13e32f759c1f5e6e6a0bcd9a3245a01b

SHA256
a8f833737ca2903a089046ff74b82f91c755a72ada7ad843c71ebbf8db297cd2

SHA512
70e3341e24fa9302d3dccc5f11964682c4af199df3fc081ee5515dbb663ea520a324ae558bda202cfe584b71eb1aa6a323c2751c367ca4c4d36cc4580ad4d676

Download Submit
\Users\Admin\AppData\Local\Temp\adatt.exe

Filesize
172KB

MD5
745e764babfb8f0c0a1c454b1d0aa4bb

SHA1
d3d924c543f088dc6aafbc395c7792d9093f0c13

SHA256
ec178caff14a67dc39bb411fd6924e56a2d907d04ceac4bae7734b60396bb181

SHA512
0b0e930efc552a8bc5d961ba264b91b8d44883c50bfe2b453f9745f4340db98a07f62ed4864973091de73bcf2c4737983030eded4472e7ccba020fefdc657f63

Download Submit
\Users\Admin\AppData\Local\Temp\nibyz.exe

Filesize
331KB

MD5
a64cce908f5d56f683dba9998e714018

SHA1
477ab7085662b0b88e7d0ad47aca70118f81b47f

SHA256
fc6ad0315d28e0cda4a8f59fac66073cb7689d4b2ec20dae9033340cb4f7e48a

SHA512
3d25183d2f0dc223943e90eb76e5caa8f1579e835bd97369e163ec7f60556837e7fa8db1cc8d5af98a5783ef4d59abdcae1f014e06249c95d742373927ea69f9

Download Submit
memory/2476-9-0x00000000024A0000-0x0000000002521000-memory.dmp

Filesize
516KB

Download
memory/2476-20-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/2476-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2476-0-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/2860-42-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2860-41-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2860-46-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2860-47-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2860-48-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2860-49-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2860-50-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2928-23-0x00000000013A0000-0x0000000001421000-memory.dmp

Filesize
516KB

Download
memory/2928-18-0x00000000013A0000-0x0000000001421000-memory.dmp

Filesize
516KB

Download
memory/2928-36-0x0000000003420000-0x00000000034B9000-memory.dmp

Filesize
612KB

Download
memory/2928-40-0x00000000013A0000-0x0000000001421000-memory.dmp

Filesize
516KB

Download
memory/2928-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download