urelas | f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
Size

331KB
MD5

d0f5aa37150fd76ed30c94e2ea861360
SHA1

0694a6dfaee9a3d72fb83cff3d059346335cceef
SHA256

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8
SHA512

de106aae556355bd8447b84b996d949c7e1495a14fa89be322eac0a1797b6be2beba68ae232dfd53260723f917a3bdb7a66cfb648f39e59937a09d91070b34bd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYu:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2240	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

lyukx.exepejyu.exe

pid	Process
1468	lyukx.exe
1512	pejyu.exe

Loads dropped DLL 2 IoCs

Processes:

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exelyukx.exe

pid	Process
1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
1468	lyukx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pejyu.exef649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exelyukx.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pejyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyukx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

pejyu.exe

pid	Process
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe
1512	pejyu.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exelyukx.exe

description	pid	Process	procid_target
PID 1984 wrote to memory of 1468	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	30
PID 1984 wrote to memory of 1468	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	30
PID 1984 wrote to memory of 1468	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	30
PID 1984 wrote to memory of 1468	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	30
PID 1984 wrote to memory of 2240	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	31
PID 1984 wrote to memory of 2240	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	31
PID 1984 wrote to memory of 2240	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	31
PID 1984 wrote to memory of 2240	1984	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	31
PID 1468 wrote to memory of 1512	1468	lyukx.exe	34
PID 1468 wrote to memory of 1512	1468	lyukx.exe	34
PID 1468 wrote to memory of 1512	1468	lyukx.exe	34
PID 1468 wrote to memory of 1512	1468	lyukx.exe	34

C:\Users\Admin\AppData\Local\Temp\f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
"C:\Users\Admin\AppData\Local\Temp\f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\lyukx.exe
  "C:\Users\Admin\AppData\Local\Temp\lyukx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\pejyu.exe
    "C:\Users\Admin\AppData\Local\Temp\pejyu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9d9e06420c3ba86f8414fd83ba47a417

SHA1
cd23edf05181d27f24cb92fbf2d887f2ca2a6f38

SHA256
fd1458e291ed86807ab2ad499830b4d1187514c91e0ec70ef1c340e3baea5855

SHA512
0f2d51a0bd665054cec94b1fb0c8573fb3c681ea0f0b6dc474e9b1d792f81c6ac6461ddd50ed12642c3b447d73155deb0cf90def636dfa5b951ae485d9eef18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
73732dcea26266fec34167ad68812a94

SHA1
00767509bc09c393825b74a260dfd76ce7d965bd

SHA256
464979c6f724db145926f9645c10729bfd9e8db5e2861371c469a40134216dda

SHA512
13aace6f60ee889037f9fbe00895ace73b2c4f0435042da804eaac57659f5b88c9ab5dfcfb425eaa3d917928f3de9e4fd4cfc837044ade765c87626e42b5e115

Download Submit
\Users\Admin\AppData\Local\Temp\lyukx.exe

Filesize
331KB

MD5
67376a33899881bff797905d64cfbba3

SHA1
b12f2b8bda741446d105efb4e465f5217ada8b0e

SHA256
409032b1d8817af9bc91fd900adee37560e362a05d2eb49738cd820316babf86

SHA512
8adfc63b8794e16fb57c0faca71d8e8a70f1b6b1f958f59901796b8cda96a9b03bbc66cddc21d90f49788ac4382b483267fda0fd15fdbd6bf11fe8fa3f059bad

Download Submit
\Users\Admin\AppData\Local\Temp\pejyu.exe

Filesize
172KB

MD5
e660acbc3c96fc79bcc3870e1dfec3c6

SHA1
e8c799f206e2dc0231950353e765c6010931d8d7

SHA256
871aac5246b5e10a0cfd593dde4397505e5d748793747051d0c006ac9a41031b

SHA512
0271c48844ae845f6edbe91b55861e449b06ac0a0416dcbe76d8f0e4013d09952337bd6a136ca24a92204f9f4efcc8a7739d09951418bc969244356fee6f3711

Download Submit
memory/1468-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1468-23-0x00000000012F0000-0x0000000001371000-memory.dmp

Filesize
516KB

Download
memory/1468-18-0x00000000012F0000-0x0000000001371000-memory.dmp

Filesize
516KB

Download
memory/1468-37-0x0000000003E00000-0x0000000003E99000-memory.dmp

Filesize
612KB

Download
memory/1468-40-0x00000000012F0000-0x0000000001371000-memory.dmp

Filesize
516KB

Download
memory/1512-41-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1512-44-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1512-46-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1512-47-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1512-48-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1512-49-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1512-50-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1984-0-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/1984-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1984-19-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/1984-9-0x0000000002950000-0x00000000029D1000-memory.dmp

Filesize
516KB

Download