urelas | 4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe
Size

332KB
MD5

0245c187c3e8aadc222e614423e615d0
SHA1

3a50a9991861ef8dc121fbec4f0bb8667144dd2c
SHA256

4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06
SHA512

60d37fa1e4cf1e6c63e854d328f0d4cf30a01edb9a622c1944320d17080fc05e4ad5c176589038fd8e02ad44fb8df3a060dc4e750c6ab9c9fe87fa5e5ddd110b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVJ:vHW138/iXWlK885rKlGSekcj66ciEJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2072	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1440	qefaa.exe
1488	dailm.exe

Loads dropped DLL 2 IoCs

pid	Process
2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe
1440	qefaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dailm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qefaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe
1488	dailm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1440	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	31
PID 2000 wrote to memory of 1440	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	31
PID 2000 wrote to memory of 1440	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	31
PID 2000 wrote to memory of 1440	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	31
PID 2000 wrote to memory of 2072	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	32
PID 2000 wrote to memory of 2072	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	32
PID 2000 wrote to memory of 2072	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	32
PID 2000 wrote to memory of 2072	2000	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe	32
PID 1440 wrote to memory of 1488	1440	qefaa.exe	35
PID 1440 wrote to memory of 1488	1440	qefaa.exe	35
PID 1440 wrote to memory of 1488	1440	qefaa.exe	35
PID 1440 wrote to memory of 1488	1440	qefaa.exe	35

C:\Users\Admin\AppData\Local\Temp\4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe
"C:\Users\Admin\AppData\Local\Temp\4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\qefaa.exe
  "C:\Users\Admin\AppData\Local\Temp\qefaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\dailm.exe
    "C:\Users\Admin\AppData\Local\Temp\dailm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
4b7618bc23ad50f0aefa9b9f4c4aff77

SHA1
4106549d43132e06e875f769d66491b8395bf695

SHA256
aa2d33ce67900c3ab79d37f2851a8b8b7c74e7a3e2d7b373ec1e904608b851b0

SHA512
edec2603df9dcf8d176d2bf252cde5425e4ed0febf3025b7e7d515452aa1616425a50ef046db785c4a36cc7894a9859e9027a79b8b5f601d9833097bff5cd8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3d5ec76fe2afd9afca4b0bf624488504

SHA1
d211ce8591b8488b92b0c9e963495f12f9d0c1d7

SHA256
695bccf1e2c1702c61190090ba1d6f5da2a1840bd77346f71cb9d9aa1eed9c6e

SHA512
461ecd543dd2695d4e870fe69f3680932ad4727468b47a7045190d0a0d2f4d666668f94808c7107efbaf58d5ae6cd74f745951ef6c7bb6f3b46749b470561de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qefaa.exe

Filesize
332KB

MD5
77f171ece486c071ef77390da49664ce

SHA1
bc148a9e7bfcf41c3e32af5a83d6648f2ef34334

SHA256
4f327cbc44e56bb63bdd0636e280ea852ff9fa6792010122b9e79df3b6ec0c1f

SHA512
ac38160f79ca40e2a80a70889513121e05738661843d4a147be2b4723dfadf64c38d619e9a64701396e6f32efa8e3a2835a298a9b4b660130c4c8dc075f199f9

Download Submit
\Users\Admin\AppData\Local\Temp\dailm.exe

Filesize
172KB

MD5
f73ec598325175aa976b41476500bed0

SHA1
1058096b59444a8fd5a32c3654a4ff3440cd6fc9

SHA256
c6ddd250d6801391e23abac7619638ab098e87cb130343762d8c4fe1d46d8ada

SHA512
6d868a6d7308239be961d2517ac232e5e665e6d102d429724339709b7360cc0d7119e47a6af489d988fdda53029756d2b6125a2c1f3d9741dc5d039b0220e434

Download Submit
\Users\Admin\AppData\Local\Temp\qefaa.exe

Filesize
332KB

MD5
58db4ba27f6b05f3d04b6ed96a9cbe90

SHA1
a2d99bec19e6886ca036ab5f89746ddd9dd32826

SHA256
c7607668820ebdca5f328fef70d853016950af5a9922fd576a20359ea9e1ba8b

SHA512
00004946deb33528881067579d04ac276ae73897d0c84478a84719c8a6ecd63999c8ef07a525942be3c99b71722525cba8c3702edad4e8aa1684236b031acc4b

Download Submit
memory/1440-41-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/1440-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1440-23-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/1440-17-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/1440-37-0x0000000004040000-0x00000000040D9000-memory.dmp

Filesize
612KB

Download
memory/1488-51-0x0000000000020000-0x00000000000B9000-memory.dmp

Filesize
612KB

Download
memory/1488-50-0x0000000000020000-0x00000000000B9000-memory.dmp

Filesize
612KB

Download
memory/1488-39-0x0000000000020000-0x00000000000B9000-memory.dmp

Filesize
612KB

Download
memory/1488-48-0x0000000000020000-0x00000000000B9000-memory.dmp

Filesize
612KB

Download
memory/1488-42-0x0000000000020000-0x00000000000B9000-memory.dmp

Filesize
612KB

Download
memory/1488-49-0x0000000000020000-0x00000000000B9000-memory.dmp

Filesize
612KB

Download
memory/1488-47-0x0000000000020000-0x00000000000B9000-memory.dmp

Filesize
612KB

Download
memory/2000-20-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2000-0-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2000-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2000-9-0x0000000002650000-0x00000000026D1000-memory.dmp

Filesize
516KB

Download