urelas | b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
Size

332KB
MD5

2e4cd5974566618cb6ad13032dbf99e6
SHA1

80f1d438c9ea383103d0e0061c6977e5d2344213
SHA256

b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35
SHA512

0e2e0f1dd374a57ee1392a65ead2eeea0044715731f2565ce130496733815b8540d57805e57544430394e067bca0b7ed23eb83f549adff9848750613023180a8
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYrh:vHW138/iXWlK885rKlGSekcj66ciY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2692	qatyl.exe
1792	wikug.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
2692	qatyl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qatyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wikug.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe
1792	wikug.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2692	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	30
PID 1920 wrote to memory of 2692	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	30
PID 1920 wrote to memory of 2692	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	30
PID 1920 wrote to memory of 2692	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	30
PID 1920 wrote to memory of 2720	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	31
PID 1920 wrote to memory of 2720	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	31
PID 1920 wrote to memory of 2720	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	31
PID 1920 wrote to memory of 2720	1920	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	31
PID 2692 wrote to memory of 1792	2692	qatyl.exe	34
PID 2692 wrote to memory of 1792	2692	qatyl.exe	34
PID 2692 wrote to memory of 1792	2692	qatyl.exe	34
PID 2692 wrote to memory of 1792	2692	qatyl.exe	34

C:\Users\Admin\AppData\Local\Temp\b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
"C:\Users\Admin\AppData\Local\Temp\b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\qatyl.exe
  "C:\Users\Admin\AppData\Local\Temp\qatyl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\wikug.exe
    "C:\Users\Admin\AppData\Local\Temp\wikug.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
78bcd2b643f40ee235915aee268d49f2

SHA1
57f6fc17b8c5c3edd6e74bb9d9a9dd875b81b1a0

SHA256
5acabff516d1cfccb9595c5e62ae898d2dc58cb6ef17eb770f46b14c3be249f6

SHA512
a1a9490f78be4436a5e28b41ed00082eb07a0f2d100f8298b8e939c97f99b3e49714912fd4b9e027c3ba49c5c6820176814ecf191019d71a3ee66c8064671201

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
674a8506eb9c9effc4bc6d39eca69e1c

SHA1
dac9d515b0d5badc10a81e9303b94395a3f02791

SHA256
bbef5e8e28426b78057f463bf1dfb61c2ba88b43d6b968437f93abfc23cceb53

SHA512
83f9eaf5ab1b0de0adf02d1449722af9ac9a1f97d34134ab6373f99e5c4f452587d2e068f6abcfb9f7527cf20053518e319ba2795bffb358df93309f426a9c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wikug.exe

Filesize
172KB

MD5
165c28fae1380fbef65621a70d235d92

SHA1
65e9ad95b6fed032d906a73ef406b3331ec18a62

SHA256
ca0079a725dff8f80d0c18b51367716d7abd2ba4d452eda358ba24129fd0ed6f

SHA512
caccace88bf049822d463696344b84f32b7943afefaf8123a3660c606f38584ac302ab61630c5696634cf89898e98316f52ef730204252cbfeb5067393e5b0e3

Download Submit
\Users\Admin\AppData\Local\Temp\qatyl.exe

Filesize
332KB

MD5
46368baed1e8f3bbb34adfcc89d60514

SHA1
87cb1fbe1e66f0a3c9832b895c9f6abcb67bb18f

SHA256
7f006c3e7c2b6fa740a7bb9cc5dec24d439a7b687b6c1c0d17a43b3811dcd2f3

SHA512
bd06f848778eda70b7f22ff8aa930fede18d2e88c3811c5c53983c2bf7319097a0a96dc937babdc1e22128961b219f417caedc672400582697d0e53104c0f3f3

Download Submit
memory/1792-46-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/1792-43-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/1792-50-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/1792-49-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/1792-48-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/1792-47-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/1792-41-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/1920-19-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/1920-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1920-0-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/2692-22-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2692-40-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2692-37-0x0000000002210000-0x00000000022A9000-memory.dmp

Filesize
612KB

Download
memory/2692-23-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2692-17-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2692-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download