urelas | bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Size

332KB
MD5

a802406b8f20f3c1120794c61e6ea080
SHA1

1a6bebbfbe96c6a8dfb577f89032caa18413e6ed
SHA256

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342
SHA512

ff3617fa3ac161512fc3e13d75cc77542a5f0976a0d2583b336578e309c7c6fdb07f3c6f711410ad38e1fa8182dde94ca4490de70ec66937f114146c46631004
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVC:vHW138/iXWlK885rKlGSekcj66ciEC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2060	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

zinae.execukah.exe

pid	Process
532	zinae.exe
1884	cukah.exe

Loads dropped DLL 2 IoCs

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exezinae.exe

pid	Process
1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
532	zinae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exezinae.execmd.execukah.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zinae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cukah.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cukah.exe

pid	Process
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe
1884	cukah.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exezinae.exe

description	pid	Process	procid_target
PID 1920 wrote to memory of 532	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 1920 wrote to memory of 532	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 1920 wrote to memory of 532	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 1920 wrote to memory of 532	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 1920 wrote to memory of 2060	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	32
PID 1920 wrote to memory of 2060	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	32
PID 1920 wrote to memory of 2060	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	32
PID 1920 wrote to memory of 2060	1920	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	32
PID 532 wrote to memory of 1884	532	zinae.exe	35
PID 532 wrote to memory of 1884	532	zinae.exe	35
PID 532 wrote to memory of 1884	532	zinae.exe	35
PID 532 wrote to memory of 1884	532	zinae.exe	35

C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
"C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\zinae.exe
  "C:\Users\Admin\AppData\Local\Temp\zinae.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\cukah.exe
    "C:\Users\Admin\AppData\Local\Temp\cukah.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f97f8213a4f0d7fa17839b84e35f1359

SHA1
158608023d066718130cba51f540f9719d6e0d1c

SHA256
cb262acda89e1b82055d31a120fb3b36e8908cd6db0d135b1ca6193b0a0a68ed

SHA512
40d61ddd719878c163d3d19e3002dffa454401082bc502971e5c02c92d335a330d6c1f44f58907f4f0367b35cd20f4840c924497962c74e4df39544ac0fe578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0e3c74d7905371d6b92ff9407433acb1

SHA1
d9579291de0d62396327564e75c17882a63f6c6e

SHA256
fe0a5a89ebcef6552a332bf19c2cd20bfa26aac58c422e759d9a0127fc7c7ae0

SHA512
a841508be405738d1c3bde15b20e4e649257abc49a331ad760daec56a766a1fcd369608cf4d279b84e5c2379543a52ad7a0d86c4c4f554f310c2950e39e24df6

Download Submit
\Users\Admin\AppData\Local\Temp\cukah.exe

Filesize
172KB

MD5
a00786c199b89b9abecff0c5d37a4ffc

SHA1
c571e524992c8a2adbf6b9c281b470056e276450

SHA256
5d5b30abbdd1f91a6967b00ce37dfd9e53d8d6f17ef6145594f479f9a76535ee

SHA512
1d20ba0090729fba1636bd131d994fc702b26168a764a1292c7fe8a1f014ef799fe5976210420c684f09278fb367ef106e411aae36bc17db07005c578744400f

Download Submit
\Users\Admin\AppData\Local\Temp\zinae.exe

Filesize
332KB

MD5
e8628d5c1e3686593934a80e40db9126

SHA1
497a0700bdb1568cf45650196245780277f79054

SHA256
ac7fac24b6435dbe237b698270a9cee254d832a7c73f8deada6814d60b93e91c

SHA512
90f611cf48fea2642a7fcedb395e80e844b2a87336608a36b409e5fbc68d6e33fccd854b0e7b32333e891d9f30b2519ce1b47b664f9a0c5aa99f16c7a218d389

Download Submit
memory/532-24-0x0000000000870000-0x00000000008F1000-memory.dmp

Filesize
516KB

Download
memory/532-40-0x0000000003560000-0x00000000035F9000-memory.dmp

Filesize
612KB

Download
memory/532-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/532-11-0x0000000000870000-0x00000000008F1000-memory.dmp

Filesize
516KB

Download
memory/532-43-0x0000000000870000-0x00000000008F1000-memory.dmp

Filesize
516KB

Download
memory/1884-47-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1884-41-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1884-42-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1884-48-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1884-49-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1884-50-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1884-51-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1920-21-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/1920-9-0x0000000002270000-0x00000000022F1000-memory.dmp

Filesize
516KB

Download
memory/1920-0-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/1920-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download