urelas | a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe
Size

401KB
MD5

4de6e6304b3fbb9ca92fbad39596dee0
SHA1

95aa573024715a3baf312933dfe256cf67f1da6d
SHA256

a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366
SHA512

d279c2d097bd41f7d9c91bb13be4d78cb14ee1812e4ce87692be6d5a68e36aabb8c35a1a8402f91c2bbda33e1f3661230cf832e8760a5c0c4a0c0e2f05cf497a
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohB:8IfBoDWoyFblU6hAJQnO3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2528	hijif.exe
2984	foanno.exe
1932	bufuw.exe

Loads dropped DLL 5 IoCs

pid	Process
2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe
2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe
2528	hijif.exe
2528	hijif.exe
2984	foanno.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hijif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foanno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bufuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe
1932	bufuw.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2528	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	30
PID 2932 wrote to memory of 2528	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	30
PID 2932 wrote to memory of 2528	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	30
PID 2932 wrote to memory of 2528	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	30
PID 2932 wrote to memory of 2892	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	31
PID 2932 wrote to memory of 2892	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	31
PID 2932 wrote to memory of 2892	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	31
PID 2932 wrote to memory of 2892	2932	a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe	31
PID 2528 wrote to memory of 2984	2528	hijif.exe	33
PID 2528 wrote to memory of 2984	2528	hijif.exe	33
PID 2528 wrote to memory of 2984	2528	hijif.exe	33
PID 2528 wrote to memory of 2984	2528	hijif.exe	33
PID 2984 wrote to memory of 1932	2984	foanno.exe	35
PID 2984 wrote to memory of 1932	2984	foanno.exe	35
PID 2984 wrote to memory of 1932	2984	foanno.exe	35
PID 2984 wrote to memory of 1932	2984	foanno.exe	35
PID 2984 wrote to memory of 1928	2984	foanno.exe	36
PID 2984 wrote to memory of 1928	2984	foanno.exe	36
PID 2984 wrote to memory of 1928	2984	foanno.exe	36
PID 2984 wrote to memory of 1928	2984	foanno.exe	36

C:\Users\Admin\AppData\Local\Temp\a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe
"C:\Users\Admin\AppData\Local\Temp\a6fda62fa8bd6ce667ef4cf48a42af1050cf772c590e5f4560a9201f2329a366N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\hijif.exe
  "C:\Users\Admin\AppData\Local\Temp\hijif.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\foanno.exe
    "C:\Users\Admin\AppData\Local\Temp\foanno.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\bufuw.exe
      "C:\Users\Admin\AppData\Local\Temp\bufuw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
e4401fc0d89d8698df670a03c4239d8c

SHA1
9481c30f6597f884a7af3777ab5ccc92679d6074

SHA256
28fb0395f61d7f90efb450361789e1f8c8e230f5247eff0611033599b6367641

SHA512
48210e3deaa832db1ec7463791403365278690f0b47b8402cf0c02d4f0ad4cc7a8d32a31818cd4291154d059777baa1ae6a1b3658a340cc52ec92ce9a302429b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
024ff95be562b3f23cb923c7cf13a402

SHA1
f0dcd95c56d86df746b1035b1c5b60c6072964c2

SHA256
6713faefbb6ad43ec10d479f3de7cce81d30ea056195b6eeb824a1591fc17ef1

SHA512
f2925999116ab7aa8a3d3ea39b5011a5a89e893f28d81c9509a96ce5b12c3e1e9679e848fad565070683fdc506bbf024ae4f12b4bc054c956267956333237ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
777b9578057337869d45cf335163122a

SHA1
f9f519cb02433e48a14311e011f939be8b5faca7

SHA256
496015b63d6f6417b8810daba7efba3c32f3459554f479fdd636e96d5c306849

SHA512
e11655e1583000e7964733498222c8dcc93f46877786f3f4c1e27ac7a875df8deccaa4ded0524ca64fae7bdcdfc306be7409b8edce689be776eeb71b41fcaa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\hijif.exe

Filesize
401KB

MD5
7f814bf480431e5ccb4210ef3c788523

SHA1
10ccb45c98dcb10edb45cf0862960938ebf5e4fd

SHA256
fe3b1ffd09400afb2a378904df70f7827993a300ab71a2cd8297000c0ffee5cc

SHA512
27ef1c39de2deb29604a2345ab3400f86600cc604cfccfdb49a0e9ba559fbe79ce057346298bc12d4363bd384cd22ba0620e0719f8301d62b23342600056ed66

Download Submit
\Users\Admin\AppData\Local\Temp\bufuw.exe

Filesize
223KB

MD5
4d25a3ad74df430bd439b3d92dc565a2

SHA1
cca0a62c82e9cec3b64ff81b5f0f003086fa086e

SHA256
48d22e63f2258bd4a88eb349878fecef1af01b84bf910452f9d8a42cad60bd58

SHA512
163267b0e53af32afaa5ddb4fcdf370dd805662be75492bb34edff4ea8f4a1d8e0ba2086a9b3b98720033f061a2423d0babc9142f4fb38b896499e4053828970

Download Submit
\Users\Admin\AppData\Local\Temp\foanno.exe

Filesize
401KB

MD5
436cec459354e4f8ffd473a580bf991a

SHA1
230a6481e73506caea953bb21598ff9c23807d49

SHA256
d6af1d6f9d6f936ee9be8bc37d407bdc94c6f7281d10664e6066846e49ed5e9a

SHA512
7b4813f193fcfb39e670549068528a2f2d2b67ed50864b8fb19525f669b270bc03f8166170add68608858ec1c6006577154de80c41a6cec4410b4010e487cb83

Download Submit
memory/1932-63-0x0000000000060000-0x0000000000100000-memory.dmp

Filesize
640KB

Download
memory/1932-62-0x0000000000060000-0x0000000000100000-memory.dmp

Filesize
640KB

Download
memory/1932-61-0x0000000000060000-0x0000000000100000-memory.dmp

Filesize
640KB

Download
memory/1932-60-0x0000000000060000-0x0000000000100000-memory.dmp

Filesize
640KB

Download
memory/1932-59-0x0000000000060000-0x0000000000100000-memory.dmp

Filesize
640KB

Download
memory/1932-47-0x0000000000060000-0x0000000000100000-memory.dmp

Filesize
640KB

Download
memory/2528-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2528-29-0x0000000003780000-0x00000000037E8000-memory.dmp

Filesize
416KB

Download
memory/2528-22-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2932-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2932-20-0x00000000026D0000-0x0000000002738000-memory.dmp

Filesize
416KB

Download
memory/2932-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2932-21-0x00000000026D0000-0x0000000002738000-memory.dmp

Filesize
416KB

Download
memory/2984-38-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2984-45-0x0000000001FE0000-0x0000000002080000-memory.dmp

Filesize
640KB

Download
memory/2984-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2984-56-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download