urelas | fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
Size

333KB
MD5

80c2e464d0e65c20fa068a3bfa7470b0
SHA1

51cdb889c9708a161fdb3c5fda6a4e38bebfbf23
SHA256

fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52b
SHA512

abccd3d3d12848d114b0b7aa060b3c94b07175ccf965413944a884b933afbb71eb15dca3f06269d2fc421bbec59b831132d6fa759127065c495298bbadb3a6dd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9+3:vHW138/iXWlK885rKlGSekcj66ciWQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	ruvus.exe
1744	ywquq.exe

Loads dropped DLL 2 IoCs

pid	Process
1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
2808	ruvus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywquq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruvus.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe
1744	ywquq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2808	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1508 wrote to memory of 2808	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1508 wrote to memory of 2808	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1508 wrote to memory of 2808	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1508 wrote to memory of 2692	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 1508 wrote to memory of 2692	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 1508 wrote to memory of 2692	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 1508 wrote to memory of 2692	1508	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 2808 wrote to memory of 1744	2808	ruvus.exe	34
PID 2808 wrote to memory of 1744	2808	ruvus.exe	34
PID 2808 wrote to memory of 1744	2808	ruvus.exe	34
PID 2808 wrote to memory of 1744	2808	ruvus.exe	34

C:\Users\Admin\AppData\Local\Temp\fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
"C:\Users\Admin\AppData\Local\Temp\fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\ruvus.exe
  "C:\Users\Admin\AppData\Local\Temp\ruvus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\ywquq.exe
    "C:\Users\Admin\AppData\Local\Temp\ywquq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0eefb7b287f60aef1a98238ca7d04fe8

SHA1
1bee211430b5cad19b65e0f028476fbdd6f9b12e

SHA256
248ce742a9ebd40c52e9ad1450f917bb187aae04534cb4bb9159897b660a262f

SHA512
6c3e358a6b5264c9c62312c6d47452f46fafaa31c8beb07d96f314a65505dd361345c627e8d5fba4f2bf0a9f951b6574807e97c03195c8ece8e067a5a875b621

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cec30d4df57a0d3facfa838a3a644e8

SHA1
39e18aa40255f3af9d17276e25e93002b00180a1

SHA256
73aa7b72bc24d8da47d2cb208546e34894351b58aee161a1ecb4dd3fad79bf53

SHA512
d10586f77d5b44872d51a856ad270f10e42d7dded7184332a4d4459d66264473775a36f0b0ec296e7d193780a675896cb1deb8f82492ce3d49dc635bbc91a09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruvus.exe

Filesize
333KB

MD5
7fd28fdc08dc7c3e06eac49f2c0b857f

SHA1
0e0df0503127be1d1873e64b5876b8395d99b27c

SHA256
3c17bbf578b0b57d27f077a7eebb81a391991a2d734d5cda4bdaed5dc4252207

SHA512
359b43a98c598c83c2a3b78d8381575c7bc50c32ae453db14fc9a79e283e71923d1eaa183ccdf641cf7518529afcf4c4ebecb6501c6c89f6cb2fda386de6083a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywquq.exe

Filesize
172KB

MD5
1db3e9aad44104366ceba57ea91b1c14

SHA1
a095a9357c24bd2d5d33e3b242d9dd326964a7ef

SHA256
04bce93b76b2ba1c635ddb1fdcf905d4bcab31840b93846747963497fcdfc717

SHA512
c6945fc0b0b2040471972f04fa7a837eeb385fe50257919738870c80305a53ff660cdb3b91765985454d49c84dd92a30f271da8b8c2ffa5c7bf5122262ce3c29

Download Submit
memory/1508-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1508-0-0x0000000000E80000-0x0000000000F01000-memory.dmp

Filesize
516KB

Download
memory/1508-10-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/1508-21-0x0000000000E80000-0x0000000000F01000-memory.dmp

Filesize
516KB

Download
memory/1744-51-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/1744-50-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/1744-49-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/1744-48-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/1744-47-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/1744-42-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/1744-45-0x0000000001130000-0x00000000011C9000-memory.dmp

Filesize
612KB

Download
memory/2808-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2808-40-0x0000000003520000-0x00000000035B9000-memory.dmp

Filesize
612KB

Download
memory/2808-39-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download
memory/2808-24-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download
memory/2808-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2808-11-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download