urelas | b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe
Size

505KB
MD5

053f3c2896703544b2afc8a7d257d336
SHA1

52ef9b00ea8ea3ea12c3a1cc5f36a025b17a9eb4
SHA256

b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9
SHA512

e8599bd638cc3dc7ed44280af06ac16184cfac461758cc139fadd9e0a134c77e5fb5e8407a5547ef62547d2342f39fa8acdd783ad30b8fac48c09ab626955c04
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKoEh:3MUv2LAv9AQ1p4dK3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1156	qoxok.exe
1520	xuwef.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe
1156	qoxok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoxok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuwef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe
1520	xuwef.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1156	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	31
PID 1172 wrote to memory of 1156	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	31
PID 1172 wrote to memory of 1156	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	31
PID 1172 wrote to memory of 1156	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	31
PID 1172 wrote to memory of 2728	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	32
PID 1172 wrote to memory of 2728	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	32
PID 1172 wrote to memory of 2728	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	32
PID 1172 wrote to memory of 2728	1172	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	32
PID 1156 wrote to memory of 1520	1156	qoxok.exe	34
PID 1156 wrote to memory of 1520	1156	qoxok.exe	34
PID 1156 wrote to memory of 1520	1156	qoxok.exe	34
PID 1156 wrote to memory of 1520	1156	qoxok.exe	34

C:\Users\Admin\AppData\Local\Temp\b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe
"C:\Users\Admin\AppData\Local\Temp\b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\qoxok.exe
  "C:\Users\Admin\AppData\Local\Temp\qoxok.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\xuwef.exe
    "C:\Users\Admin\AppData\Local\Temp\xuwef.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3cf6ea4b98f2c1323929b293f1e5c1ba

SHA1
ff1892913533fd8bf64d617027a753a617e1ec61

SHA256
f736688d40528811ea4efe68a62686927662db7a2af29798638a3255f1c33da4

SHA512
5224dba1e08821ed00ae7562371edb5b6de648021a9c6d5a3a668d43107cbe3f87156a304e513ccbefe2e269dd873ac314ddbd2c3e3fb09dd276f43633857251

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
88a2025b497617581c9fb3ce0a59040b

SHA1
7af4f32b3941e46352c93edc7a2ec5b2a60a8e40

SHA256
726f3870600098ccfddd1358e534c41910e9c6bba607292548b3786f5e56ed1a

SHA512
f0a0e0fc89cd68dc495dc63ff9ce427519993403d9ac285e6ec278d9c8b5f89d78ac823d3ae2dff42ecbe982a2d2cdb332fe4173bf0ced76b037163e41242fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoxok.exe

Filesize
506KB

MD5
e0cb15a874e4c89f74fe063ad9422397

SHA1
40a6053939732c058500989214b150d626f016e1

SHA256
4cf2723814d7b5b852a654958ecd35a45457e61d5d0a9920c6e164136d1ae0f4

SHA512
33cfa7e420159e0172f5585dd2c164453dc5167cdef7ca916260b9c09d6e9ab4b0eae2bac4c50ce881a5d91b3f6b839175313c8466e3b3ae446db9b1e769d204

Download Submit
\Users\Admin\AppData\Local\Temp\qoxok.exe

Filesize
506KB

MD5
32b44e945f608b86bc3cdbe1941b0a94

SHA1
72e5d744951c22a28c54e3a2eac527820a4fbf92

SHA256
2fa7169b5c3ca654ba10a19019e5573480c3e784ac38a5c89539be2e99564f90

SHA512
c0bc7ad63fac915de2d8238c33a50a08ba5f96661497934521c6395ba447ad657f3fcb057e8d49da465e0c33785fb3274e41db90a6f625c28ab31355bbebe1a0

Download Submit
\Users\Admin\AppData\Local\Temp\xuwef.exe

Filesize
172KB

MD5
3020c09fc2f70f1dee8edb793fd52726

SHA1
8ce67b1199ae67c425eb767c9c0e840ba4197cf2

SHA256
c430315eeb4aeeeb8c5924a14caae74aaf13127ccb6eab388ae5bed193a8bc2b

SHA512
54a7c81ccf030ceaa8466a19b0a217fcd368c45760e252dd0db5a96098c5d4e21b7c299e90ac97074700e7f8a7d2e7c62d81fadddea7b8f7f8ce0fd0e60c40c9

Download Submit
memory/1156-17-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/1156-28-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/1156-21-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/1172-18-0x0000000000EF0000-0x0000000000F71000-memory.dmp

Filesize
516KB

Download
memory/1172-0-0x0000000000EF0000-0x0000000000F71000-memory.dmp

Filesize
516KB

Download
memory/1172-8-0x0000000000E60000-0x0000000000EE1000-memory.dmp

Filesize
516KB

Download
memory/1520-29-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1520-30-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1520-31-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1520-37-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1520-36-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1520-38-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1520-39-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1520-40-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/1520-41-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download