urelas | 41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72

Analysis

max time kernel
150s
max time network
81s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
Size

326KB
MD5

50a3d5650fd5b53e793e526147985840
SHA1

8e7bc7907a5f24c7bd3331ee3d7ac8b32617b042
SHA256

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72
SHA512

79b3208a137098624c847a42cf8fc3370428cafb350b91532ac592b239ebaac55811ff60a2fba5e022097510429b6b2505b7b063786e4dff8650841123636548
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY5:vHW138/iXWlK885rKlGSekcj66ci0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2884	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

rycew.exepunuf.exe

pid	Process
2840	rycew.exe
1248	punuf.exe

Loads dropped DLL 2 IoCs

Processes:

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exerycew.exe

pid	Process
2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
2840	rycew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exerycew.execmd.exepunuf.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rycew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	punuf.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

punuf.exe

pid	Process
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe
1248	punuf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exerycew.exe

description	pid	Process	procid_target
PID 2620 wrote to memory of 2840	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2620 wrote to memory of 2840	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2620 wrote to memory of 2840	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2620 wrote to memory of 2840	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2620 wrote to memory of 2884	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 2620 wrote to memory of 2884	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 2620 wrote to memory of 2884	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 2620 wrote to memory of 2884	2620	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 2840 wrote to memory of 1248	2840	rycew.exe	33
PID 2840 wrote to memory of 1248	2840	rycew.exe	33
PID 2840 wrote to memory of 1248	2840	rycew.exe	33
PID 2840 wrote to memory of 1248	2840	rycew.exe	33

C:\Users\Admin\AppData\Local\Temp\41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
"C:\Users\Admin\AppData\Local\Temp\41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\rycew.exe
  "C:\Users\Admin\AppData\Local\Temp\rycew.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\punuf.exe
    "C:\Users\Admin\AppData\Local\Temp\punuf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b65c0e5c9635e3d150f505115b7a84c1

SHA1
348b499ff301db54c4b54cf32ba8af5a8274532b

SHA256
139f15f77361de23c657a4d6be0499b23fdafb0277b255f357080f2c891e0f05

SHA512
3fbed4aa47e2ba8102e0bfa172cfe306997d1f6f443e73292725c68677546f05fd8d6efeba0409606a00eea4c2c70cd5ad112530f657288c208fd5ae038bfd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145576c1a5e2d8a98c1b8f5ac14b86d2

SHA1
85d7fc70840ddd744dc37200c792dcae99cbb01b

SHA256
ddbeadbd711d2b51c654369d1ad310d411c64029177f721afc139d7aba557697

SHA512
61ff79eecf099df1422caa70593c506b5605ab2863ea414d5e5623c43881ef73b3f8863f9ab27d07aa21406501bd42109dd87d8c023cf1154e577126e1c7c429

Download Submit
\Users\Admin\AppData\Local\Temp\punuf.exe

Filesize
172KB

MD5
214cd8ea2e71d749337074ff4e578df7

SHA1
69a60ef8b0b7db1c4f9e87170b62df34524973b7

SHA256
1c28fd46b06e7b704e5ad6de785751e87029f91be75fa840685bf11665e4f1f0

SHA512
54140a9fa0c5fbeb1feac960792eac22d11ee665fa265d6cf70c8965294aba03b2de692835bb3ed01967a4149494c78961a1f58749497f27deb7fad86f8388b4

Download Submit
\Users\Admin\AppData\Local\Temp\rycew.exe

Filesize
326KB

MD5
97466380e31302f7de68897963124356

SHA1
eb6e3fc3f3b042318f8f201fec55ab17ff710d09

SHA256
14293c546f75bbf29fc7eda52a1d99fda9f9cdd1f1e95aced514add9b4f900fb

SHA512
00fddbf185a0194c2d4e214d11930b0b02aa1b5326044e56f0bd089f2d8f818504c48569cc769482dd836af3af086a144d2bd2bf1cbc4cfa0303948c341f5923

Download Submit
memory/1248-47-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/1248-51-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/1248-50-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/1248-43-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/1248-42-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/1248-49-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/1248-48-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/2620-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2620-20-0x0000000000A20000-0x0000000000AA1000-memory.dmp

Filesize
516KB

Download
memory/2620-10-0x0000000002850000-0x00000000028D1000-memory.dmp

Filesize
516KB

Download
memory/2620-0-0x0000000000A20000-0x0000000000AA1000-memory.dmp

Filesize
516KB

Download
memory/2840-23-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/2840-40-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/2840-41-0x0000000002390000-0x0000000002429000-memory.dmp

Filesize
612KB

Download
memory/2840-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2840-17-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download