urelas | 67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe
Size

507KB
MD5

a9eaeb04e896a02140c7bbdbf5845a0e
SHA1

cbf857f9a0bf3a2db43d0320d3ea29f1914ac8c7
SHA256

67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd
SHA512

70dedcea8fcdbf85dc2eb9c40ec271ba207516b8074a4f8ba21d78dc1acb0c994e3d42d6d19af7e73d54e4dc6e2ce227d0f08cca1f6a439ffac43c322d642efc
SSDEEP

12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK5s:PMUv2LAv9AQ1p4dKC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
796	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

piojs.exeweihi.exe

pid	Process
2312	piojs.exe
2020	weihi.exe

Loads dropped DLL 2 IoCs

Processes:

67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exepiojs.exe

pid	Process
1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe
2312	piojs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

piojs.exeweihi.exe67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piojs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

weihi.exe

pid	Process
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe
2020	weihi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exepiojs.exe

description	pid	Process	procid_target
PID 1716 wrote to memory of 2312	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	31
PID 1716 wrote to memory of 2312	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	31
PID 1716 wrote to memory of 2312	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	31
PID 1716 wrote to memory of 2312	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	31
PID 1716 wrote to memory of 796	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	32
PID 1716 wrote to memory of 796	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	32
PID 1716 wrote to memory of 796	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	32
PID 1716 wrote to memory of 796	1716	67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe	32
PID 2312 wrote to memory of 2020	2312	piojs.exe	34
PID 2312 wrote to memory of 2020	2312	piojs.exe	34
PID 2312 wrote to memory of 2020	2312	piojs.exe	34
PID 2312 wrote to memory of 2020	2312	piojs.exe	34

C:\Users\Admin\AppData\Local\Temp\67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe
"C:\Users\Admin\AppData\Local\Temp\67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\piojs.exe
  "C:\Users\Admin\AppData\Local\Temp\piojs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\weihi.exe
    "C:\Users\Admin\AppData\Local\Temp\weihi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
4f2811e676564ddbb1418c0c13b93823

SHA1
5461d02935c32866233c49abf1ccf2d870fb2567

SHA256
3fff7780a5f6d2b359102a3f8228706fd19310c0b23eba211c14e303b7f8cc49

SHA512
15bf5d91b68501e828066694747c78ca217df7d430416156565f47308899d969413e3e887d0cf717bc508f16d9230d9fc246342ce71c27e04bba289cef5b68fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
faefc5fd078862484e11c77e5a1d97b8

SHA1
7555ace119b5f13da9b09ceb64b835b4d864867d

SHA256
724f393e29adbaf71d398ed6cab85333f49e0b47a94ac81e0d39d1afc66fd74d

SHA512
f61897b954c79d0ff3cc75e725952bae30d44b37df6356f6fbefafd81ad585d1416b9ef55dff57b27469d2747afac690116d5812cf5a052023680f7864f402bc

Download Submit
\Users\Admin\AppData\Local\Temp\piojs.exe

Filesize
507KB

MD5
c65efb59b6eeaf36a2b38a71595159a8

SHA1
5a8b6c0de031fc9ecf9741f26e08476904cd62a6

SHA256
19c12c950acaf5f2d85353823f0cf30d109270045cd609123b73c01e134a1af3

SHA512
6ee827b9e5a86780153d3371e273f9642ce4639219b6da02950a5c61bdf327f36a2329faabd2e7e0e7cb5cf5f801193d0891509d2c79e96fdf71fc9afb86360e

Download Submit
\Users\Admin\AppData\Local\Temp\weihi.exe

Filesize
172KB

MD5
f69a83fcdfc50e951be9db0b387b5997

SHA1
c532ecd30b81a7dc10435ef3ba7fe6a22e15e82f

SHA256
07661ef30439043b2062f84fda9d70090152867ca323cf3e9929528e83b2a129

SHA512
fc96e173ce3e1eaacd3dc9834cb43459c0910cdb28a5949b123c9b3486f2612b964b548412599cb494459ec14fcfb9269a551c777dce0a1a9c52211f1015ce53

Download Submit
memory/1716-0-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/1716-9-0x00000000024D0000-0x0000000002551000-memory.dmp

Filesize
516KB

Download
memory/1716-18-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2020-31-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2020-30-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2020-32-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2020-36-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2020-37-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2020-38-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2020-39-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2020-40-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2020-41-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2312-21-0x0000000000030000-0x00000000000B1000-memory.dmp

Filesize
516KB

Download
memory/2312-10-0x0000000000030000-0x00000000000B1000-memory.dmp

Filesize
516KB

Download
memory/2312-29-0x0000000000030000-0x00000000000B1000-memory.dmp

Filesize
516KB

Download
memory/2312-27-0x0000000003310000-0x00000000033A9000-memory.dmp

Filesize
612KB

Download