urelas | 111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
Size

333KB
MD5

3e1dbcc7e3805d50b0a4c74f3e0adf00
SHA1

83830eb0f615665b0eade43144fbbfc8bc92178b
SHA256

111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7
SHA512

0d737ad20eb071e8c4da7a8a6915500bc8e1fd441274f8a27d4193beea033c1e859406442972ef8680444eeb143111ff7a53c56ec9ebb9f82b53e2e7721899ca
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYe:vHW138/iXWlK885rKlGSekcj66ci7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	gegiy.exe
1948	nyyfc.exe

Loads dropped DLL 2 IoCs

pid	Process
2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
2536	gegiy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gegiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyyfc.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe
1948	nyyfc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2536	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	30
PID 2344 wrote to memory of 2536	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	30
PID 2344 wrote to memory of 2536	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	30
PID 2344 wrote to memory of 2536	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	30
PID 2344 wrote to memory of 1900	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	31
PID 2344 wrote to memory of 1900	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	31
PID 2344 wrote to memory of 1900	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	31
PID 2344 wrote to memory of 1900	2344	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	31
PID 2536 wrote to memory of 1948	2536	gegiy.exe	34
PID 2536 wrote to memory of 1948	2536	gegiy.exe	34
PID 2536 wrote to memory of 1948	2536	gegiy.exe	34
PID 2536 wrote to memory of 1948	2536	gegiy.exe	34

C:\Users\Admin\AppData\Local\Temp\111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
"C:\Users\Admin\AppData\Local\Temp\111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\gegiy.exe
  "C:\Users\Admin\AppData\Local\Temp\gegiy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\nyyfc.exe
    "C:\Users\Admin\AppData\Local\Temp\nyyfc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e0ad251730094b81ce3f28e9c15484d1

SHA1
d22bea5a5f72b202e9f4d7f0accce4de1ffeb74a

SHA256
ea754f1ac13ad6ad9e1f65fdbfaa3cc549ef395a6e2bf273d75d1043491121cc

SHA512
c550231c0d52218ad5013c1b016906c50c1444bc6cc44ef6e6ae8baa502c4880c0304bc6f87ce83b61112a242ac73aebe109af6d21b5db3e170e6824cf40967f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4dfac009a084d362505a4aca8e0cd397

SHA1
b1d10591bb6f07b61ba8d5664ad775ca76dbb602

SHA256
215aa74e992ac1f73a82b87992ea808ea9379806a2bd3bb7b39c280f5f79664c

SHA512
f0e2d38357f88676f0510630224098af46c15e23acdc47c256b3e69ff8bf9dc4255e357f7e4877e9add13624669e484f5ac671aacadab2a486894055dc727f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyyfc.exe

Filesize
172KB

MD5
d4a9720226362942325baaa5e2379e41

SHA1
11badc44104c350862f140da623ad462216f8544

SHA256
871cc55e7adc4c5e4a034588d08e22d5c5b1a730441a77c2ba2520b66004a101

SHA512
d8299d772aabe08391ac63cd21429084dc976e26e118f28cb8dc40a6ef2cb46c6a566eaa502a4e28f51bb77b92a6443507f8103806532394f7a318bbcb2591d6

Download Submit
\Users\Admin\AppData\Local\Temp\gegiy.exe

Filesize
333KB

MD5
0d65f97108089ebf31b556411be5fdcb

SHA1
850b4e77ba5ba9fc931e11819aa382c3aa7264cd

SHA256
87e5ad83b773db7bbd660fb0267f8ae716cf18e76046653b8bc724a6968e2bbf

SHA512
829a1b217761727a23c88f439bd35fd874acdcd7acdbe54ae478ae12a158d06505cb344e5a7d3440df9945defe3ceb9dba9242571df51259785137876f66c498

Download Submit
memory/1948-42-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1948-46-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1948-50-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1948-49-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1948-48-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1948-47-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/2344-9-0x0000000002690000-0x0000000002711000-memory.dmp

Filesize
516KB

Download
memory/2344-21-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2344-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2344-0-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2536-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2536-41-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download
memory/2536-39-0x0000000003330000-0x00000000033C9000-memory.dmp

Filesize
612KB

Download
memory/2536-24-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download
memory/2536-15-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download