urelas | 228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799

Analysis

max time kernel
150s
max time network
82s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Size

331KB
MD5

b2b46805c6d9040e35b03cbcc2291570
SHA1

1f8c09742e89bc1920b0996382875069a2699ed7
SHA256

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799
SHA512

05b4587e1e080bafc8d6b1c5f373273e0601d9e73fcf20ad33c19721e1cee1b89b3ea57081e301adac512b9140a2ea3b088b4ccfa176ae627d0823e4b9413580
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVH:vHW138/iXWlK885rKlGSekcj66ciEH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	afutj.exe
2960	neyvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
2804	afutj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afutj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neyvc.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe
2960	neyvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2804	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	29
PID 2792 wrote to memory of 2804	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	29
PID 2792 wrote to memory of 2804	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	29
PID 2792 wrote to memory of 2804	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	29
PID 2792 wrote to memory of 2920	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2792 wrote to memory of 2920	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2792 wrote to memory of 2920	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2792 wrote to memory of 2920	2792	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2804 wrote to memory of 2960	2804	afutj.exe	32
PID 2804 wrote to memory of 2960	2804	afutj.exe	32
PID 2804 wrote to memory of 2960	2804	afutj.exe	32
PID 2804 wrote to memory of 2960	2804	afutj.exe	32

C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
"C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\afutj.exe
  "C:\Users\Admin\AppData\Local\Temp\afutj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\neyvc.exe
    "C:\Users\Admin\AppData\Local\Temp\neyvc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
321fde60b66c64c4701cb5b752f9d577

SHA1
217bdea5ccb5a394cf3da4f6147192343f9e6dbd

SHA256
4ebdee2fa534f770db37aca411d0ef97cd23540daf2f6fd39b4b73839571156a

SHA512
75036d7a7aac9e4a51335c3901ba5157701ba8f0b81264c050cecabb73185643cf6f71545d4683413b88fcd794d666805655251584c5aa89eac76cf6294c833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f25c13b1486ddcf8951d05f0e7145fbd

SHA1
a6e52b97cfd813136daa5879ca98d45b9fb9cf45

SHA256
7cadd247591e5980c9c8cbfe115d1f09c607a3b527edf5460cf95821d8ad3031

SHA512
7fd38e36fafff2b95b69d36299dd8381131316d75bd2fef115469bb9991383f9464fe8f32fe1b6851636100fabfd9d318a908fa7a0c993db2b488719b2c06366

Download Submit
\Users\Admin\AppData\Local\Temp\afutj.exe

Filesize
331KB

MD5
7d2a935d30e773b04e6377d52cff8c54

SHA1
b363da09746fa15a2b45b9d8c615b59c852384b3

SHA256
ec4f748713ca1fcb217ec556bd7fbddb288b944f1f2c05ccb969b7d2677c16f1

SHA512
c50077e63531628f792d4a274f1b290743dc1783b050403c9e36e9bc8a01ea44f9990fd6fbbe498ff323981342ee93a5223662d181432d5ca08c40e08867b834

Download Submit
\Users\Admin\AppData\Local\Temp\neyvc.exe

Filesize
172KB

MD5
ca0db21eb6d0e09069db8ffd4cd51ca3

SHA1
c9fe4efa06257be2b868773b9076dff370089b47

SHA256
d7067354901de737c17ab2bb1f4b2ee923192a18476add8bf84da3cc4d7d132f

SHA512
558291e4c082aef212eccbf7ba6d1fbdc0ed15305d2102601e0c49987a589500ce4ac4d3d335fa97a4a44c767757a6ac8b0ac7af56cd1b1effafe8e3497f0b9f

Download Submit
memory/2792-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2792-0-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/2792-8-0x00000000024A0000-0x0000000002521000-memory.dmp

Filesize
516KB

Download
memory/2792-20-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/2804-23-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/2804-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2804-40-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/2804-38-0x0000000003B60000-0x0000000003BF9000-memory.dmp

Filesize
612KB

Download
memory/2960-42-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/2960-41-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/2960-46-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/2960-47-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/2960-48-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/2960-49-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/2960-50-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download