urelas | f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe
Size

332KB
MD5

83374076dc6ef5d043bea1f7c10d9cf4
SHA1

b62c29e9220f2ab6332ba3f284241b040d5f11bb
SHA256

f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f
SHA512

20581f3f8a28f35259b1b2b486668cc2a4b3ac7a9c2ebe8d676dbecbf9f75cee13500fb114cdfb4d53f901b0642e3de021412ec01d22bc6e1d1798fc3d8cef7d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVU:vHW138/iXWlK885rKlGSekcj66ciEU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2848	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ympuw.exemafow.exe

pid	Process
2784	ympuw.exe
2264	mafow.exe

Loads dropped DLL 2 IoCs

Processes:

f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exeympuw.exe

pid	Process
2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe
2784	ympuw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mafow.exef3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exeympuw.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mafow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ympuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

mafow.exe

pid	Process
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe
2264	mafow.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exeympuw.exe

description	pid	Process	procid_target
PID 2664 wrote to memory of 2784	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	30
PID 2664 wrote to memory of 2784	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	30
PID 2664 wrote to memory of 2784	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	30
PID 2664 wrote to memory of 2784	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	30
PID 2664 wrote to memory of 2848	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	31
PID 2664 wrote to memory of 2848	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	31
PID 2664 wrote to memory of 2848	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	31
PID 2664 wrote to memory of 2848	2664	f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe	31
PID 2784 wrote to memory of 2264	2784	ympuw.exe	34
PID 2784 wrote to memory of 2264	2784	ympuw.exe	34
PID 2784 wrote to memory of 2264	2784	ympuw.exe	34
PID 2784 wrote to memory of 2264	2784	ympuw.exe	34

C:\Users\Admin\AppData\Local\Temp\f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe
"C:\Users\Admin\AppData\Local\Temp\f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\ympuw.exe
  "C:\Users\Admin\AppData\Local\Temp\ympuw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\mafow.exe
    "C:\Users\Admin\AppData\Local\Temp\mafow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
56c8c7ce1a30447dd8273707cccc2238

SHA1
c6303e6f618cb8e809e0535627555b493e92c04f

SHA256
c2f4d3aef0a6152f7c2b5a335e53056a45800c6ea1dc5d33c8059d98ebfaf28c

SHA512
7065b88d808f760c521f5db7eb237bebe05a85c1e69f4000de3e89381021e8bcb8f9c8b540f8477d20e4addc5d2ec48d6ff170a597f8fc6b6994e27500cbf93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0d571b735357ae51fc96ebc275ca7afa

SHA1
bec0892ce49c1f66a54a8ef2190005428cbaf9a1

SHA256
b26a4b08bead3d6fa36c1cd41674d0fe2510b2d8ec608e1876aae4949e274a57

SHA512
3a37cce02479779ddfdadb2798625cbac89da911ec91c8d56eb90cfc0598493cf2411c163142ff3494a850b9c3dfbe3b4a60645e44e9716f8ae1aa295da9cb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\ympuw.exe

Filesize
332KB

MD5
78cf86891937dc5790cededd086d6140

SHA1
e41d1ab47f22e3046b7f7035cf14e0ddee1dcf84

SHA256
b630ad9870c175c91b4d1047291a56978a896ed99a1e46bc29e5181b6c1850f5

SHA512
fea24c1952dfee9026dc889dddcda9c271c4ac3c982dd5122aeb970c167930201644ea95ba9820e49818cd5b1124e77eea45901ab5d483f346c67bd7d9238f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ympuw.exe

Filesize
332KB

MD5
4429c411830e13c741c427b197d17b17

SHA1
6fc39fd3d942658f5940b657379c9352a90c0526

SHA256
18ad7b1356e592ea16fa93183e6b05f91a4d39e35adcca17ef686650974fbb9e

SHA512
f282c1664a4ebce8b150f6e8c7e8bb8e35076a4917be77517e4cdd3f04fe7dabd56757ffe824b44513c8ccb9486daf9f12d00470323bc5af635b9eabc49ca4cd

Download Submit
\Users\Admin\AppData\Local\Temp\mafow.exe

Filesize
172KB

MD5
00de4a72ef549e99dff2e5d96ef496c6

SHA1
daf686e1931438021728a74806dff4d67c62edcb

SHA256
0eb09de00475679a6d190477c631754ec4a2ff4cf26c9814c1391e8ad6ee3714

SHA512
295ec4592ba4baa17a5761e2d49ca68631df1c1273df8d078e3e1d4941476b25b5afdb2d2fa63d071e50e2ddea27ec1714821489db3a84cfca64a020aa707d1c

Download Submit
memory/2264-46-0x00000000001B0000-0x0000000000249000-memory.dmp

Filesize
612KB

Download
memory/2264-50-0x00000000001B0000-0x0000000000249000-memory.dmp

Filesize
612KB

Download
memory/2264-53-0x00000000001B0000-0x0000000000249000-memory.dmp

Filesize
612KB

Download
memory/2264-52-0x00000000001B0000-0x0000000000249000-memory.dmp

Filesize
612KB

Download
memory/2264-51-0x00000000001B0000-0x0000000000249000-memory.dmp

Filesize
612KB

Download
memory/2264-49-0x00000000001B0000-0x0000000000249000-memory.dmp

Filesize
612KB

Download
memory/2264-43-0x00000000001B0000-0x0000000000249000-memory.dmp

Filesize
612KB

Download
memory/2664-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2664-0-0x0000000000870000-0x00000000008F1000-memory.dmp

Filesize
516KB

Download
memory/2664-21-0x0000000000870000-0x00000000008F1000-memory.dmp

Filesize
516KB

Download
memory/2664-17-0x0000000002480000-0x0000000002501000-memory.dmp

Filesize
516KB

Download
memory/2784-38-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/2784-42-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download
memory/2784-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2784-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2784-19-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download
memory/2784-24-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download