urelas | 764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
Size

331KB
MD5

4b7a708dc78ddafa0a62a30396061370
SHA1

6b7d06d60e77a498ce19ce17e0a3db71ad94f403
SHA256

764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38
SHA512

df62eb35d1555407f2c556dc66b8393e2d2061f4580c81eed9ccba0399bab171b306c8a66fc49d4481f23205de55e250fd4014724deb4437693a1206d9b2bdcb
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66civ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	tegup.exe
864	amece.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
2892	tegup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tegup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amece.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe
864	amece.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2892	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	30
PID 2472 wrote to memory of 2892	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	30
PID 2472 wrote to memory of 2892	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	30
PID 2472 wrote to memory of 2892	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	30
PID 2472 wrote to memory of 2880	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	31
PID 2472 wrote to memory of 2880	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	31
PID 2472 wrote to memory of 2880	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	31
PID 2472 wrote to memory of 2880	2472	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	31
PID 2892 wrote to memory of 864	2892	tegup.exe	34
PID 2892 wrote to memory of 864	2892	tegup.exe	34
PID 2892 wrote to memory of 864	2892	tegup.exe	34
PID 2892 wrote to memory of 864	2892	tegup.exe	34

C:\Users\Admin\AppData\Local\Temp\764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
"C:\Users\Admin\AppData\Local\Temp\764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\tegup.exe
  "C:\Users\Admin\AppData\Local\Temp\tegup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\amece.exe
    "C:\Users\Admin\AppData\Local\Temp\amece.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
bcbda404940990d88452be524489fd3b

SHA1
9277bd3a72d610f579c9a613e6da7ab20b69c332

SHA256
6c7041a9420f4be939bcfba6eeb86d61f13dc4d69312a561356d63deb502a9cc

SHA512
52d246aacf8987dbf27d612f39648353eaaf5fc001f07363ba312e2747b053ac5424baf74855e58965856053251758f513ec5cf08087a2c4103abc03679077ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
371886c659f10924d2b490f40a5a613b

SHA1
1c598a88ad42652362f0d570feefd2cd34b07c54

SHA256
4f50937244c886571922cfe9257a05c09a8b718051146f4040014e1dcb4ebf95

SHA512
044cc907c1b60b4f3ef02b651dba954cc844446f5e263e434bfc076d0f7344a6972d29d3837ddb49ecf116898968c9803fa8ea296d9d8fdd9becf0560c1a9b8e

Download Submit
\Users\Admin\AppData\Local\Temp\amece.exe

Filesize
172KB

MD5
2dcdb2363f3683b553b21e75896d499b

SHA1
bf32169c1d22d7fe5a49618cb92eec61f81cc690

SHA256
49f1ca8987758e3c87d8756163aefac3eb26fb33bf68f59b3a22758d2b403d57

SHA512
f358364f8bcc0819a013c404166dc13a304e2470643246b161a01bfbdeeaa95198ce9fca87ff69d2284c53ef6f754725e71e47b54dc0088a92701758eb433165

Download Submit
\Users\Admin\AppData\Local\Temp\tegup.exe

Filesize
331KB

MD5
853b595e08cb6b8d5c52720d48e82008

SHA1
b009d3e5a0a7bf2524565c59ee2dc0a63b61beaf

SHA256
d7c09d098640a5abf35aebd54dc9f728c638f8e26851a1a1c40a73859f2b753b

SHA512
56cdfa3d7d8eff2cb2f928e39910e9ffeb33fb42ff1635496cba150f5db5b5805adbb41490e238618f1c78e182d5ceafc86013f88673c91404bf4520f40076f3

Download Submit
memory/864-51-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/864-50-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/864-47-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/864-49-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/864-44-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/864-42-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/864-48-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2472-21-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/2472-8-0x00000000027D0000-0x0000000002851000-memory.dmp

Filesize
516KB

Download
memory/2472-0-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/2472-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2892-25-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2892-39-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2892-41-0x0000000003BC0000-0x0000000003C59000-memory.dmp

Filesize
612KB

Download
memory/2892-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2892-11-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2892-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download