urelas | 13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
Size

332KB
MD5

d4dc0d308df5e95206a3996e1826e0f0
SHA1

11d31cdf3db5943ad568af9beb1ea22138a29ecf
SHA256

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398
SHA512

3a12527907ea4a9a10bffb8401dc3218c58a29e7e0782bfde678b99f327dd5f99b506fef43e15d7927aea1e44515e14375f240226f22fff1e20ac5355234c092
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVj:vHW138/iXWlK885rKlGSekcj66ciEj

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2856	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

fidoi.exevazue.exe

pid	Process
2760	fidoi.exe
1288	vazue.exe

Loads dropped DLL 2 IoCs

Processes:

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exefidoi.exe

pid	Process
2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
2760	fidoi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exefidoi.execmd.exevazue.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fidoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vazue.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

vazue.exe

pid	Process
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe
1288	vazue.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exefidoi.exe

description	pid	Process	procid_target
PID 2188 wrote to memory of 2760	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	30
PID 2188 wrote to memory of 2760	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	30
PID 2188 wrote to memory of 2760	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	30
PID 2188 wrote to memory of 2760	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	30
PID 2188 wrote to memory of 2856	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	31
PID 2188 wrote to memory of 2856	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	31
PID 2188 wrote to memory of 2856	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	31
PID 2188 wrote to memory of 2856	2188	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	31
PID 2760 wrote to memory of 1288	2760	fidoi.exe	34
PID 2760 wrote to memory of 1288	2760	fidoi.exe	34
PID 2760 wrote to memory of 1288	2760	fidoi.exe	34
PID 2760 wrote to memory of 1288	2760	fidoi.exe	34

C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
"C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\fidoi.exe
  "C:\Users\Admin\AppData\Local\Temp\fidoi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\vazue.exe
    "C:\Users\Admin\AppData\Local\Temp\vazue.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b894925e57c9f98debe0a09b905518fe

SHA1
68c2149448f56c2057df9ef76fd227a18b9d39bc

SHA256
8ffdf586ab3ce73a65dd5548babe3b33cc4fbd3a941fb975cd821a9027f42783

SHA512
0b97ccd3521fc66080efaf5e8b7249f6dd8fbfb993c1ad50bca12240d40a11f5f15251b21dbe8f8563d701d9481576d4c0df121ae58017e1fe3f845c38d22b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dee441702220c2364c49bea021f8284a

SHA1
0a302360c0e9c6778defba6a8a6f79525aeec140

SHA256
7373cdd006da4c116029b5bb2e0862faab0dcbc51478e3022c3fc583495308c2

SHA512
7567847af819a08cb857d3035f9647d3cb445c0238790c1f9e42213e21acafcf2ac893310a89d37f226b7cf1f98095510e6d7fc75c0d6067655a864a2c78ad1e

Download Submit
\Users\Admin\AppData\Local\Temp\fidoi.exe

Filesize
332KB

MD5
cf661720d4c25496332803437083d704

SHA1
479ebf7ee0dd27e145fd84c98fc2ed735a19c030

SHA256
df1ffc431b052514030ec549d93f660e0d7080ca5f2401081a57ceb671c2b8e4

SHA512
45841a517d38fec8d9a3d540e4fcbe4f85167484119ee94fbdd52a0801306014de3b42779945dfe3201a3f9f4c5b936f420bc838b8d1635a0259d9cb5b5844bd

Download Submit
\Users\Admin\AppData\Local\Temp\vazue.exe

Filesize
172KB

MD5
d47509a5cdd6c53c02e4360c7a288bbd

SHA1
e5592dd221e913804a3b52a1193004f0b9de2c46

SHA256
210c91b980c610807ecd5b8c1d6a77e2995011c4d3f8a3994a58d6a5739ae817

SHA512
aef79d051dbc2ab0f5506b092f442d0ad581f347ef853461492bba034c6776147d2c60031334af86c36cd789e2e79bdcd1175ed06bdfdfabd5fd4bb1ad404ed8

Download Submit
memory/1288-46-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1288-50-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1288-49-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1288-48-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1288-41-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1288-47-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1288-42-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/2188-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2188-19-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/2188-10-0x00000000020C0000-0x0000000002141000-memory.dmp

Filesize
516KB

Download
memory/2188-0-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/2760-11-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2760-38-0x0000000003420000-0x00000000034B9000-memory.dmp

Filesize
612KB

Download
memory/2760-40-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2760-23-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2760-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download