urelas | 4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f

Analysis

max time kernel
150s
max time network
94s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Size

333KB
MD5

af649e88296ceb9e1d695358491cc750
SHA1

830da14bc248fa18205b5a0cbdb812734ca69b58
SHA256

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f
SHA512

95bf144918ca6ccbfb7d9598f8f35e466cc92231c2cdf83675fc95ef5c75a56024f3148801850e4acf64ba7e00d361db3edf0aece87dcb27c3e57e623e57190a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPy:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	locyo.exe
2968	eveqt.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
2260	locyo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eveqt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locyo.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe
2968	eveqt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2260	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	29
PID 1048 wrote to memory of 2260	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	29
PID 1048 wrote to memory of 2260	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	29
PID 1048 wrote to memory of 2260	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	29
PID 1048 wrote to memory of 2816	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 1048 wrote to memory of 2816	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 1048 wrote to memory of 2816	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 1048 wrote to memory of 2816	1048	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 2260 wrote to memory of 2968	2260	locyo.exe	32
PID 2260 wrote to memory of 2968	2260	locyo.exe	32
PID 2260 wrote to memory of 2968	2260	locyo.exe	32
PID 2260 wrote to memory of 2968	2260	locyo.exe	32

C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
"C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\locyo.exe
  "C:\Users\Admin\AppData\Local\Temp\locyo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\eveqt.exe
    "C:\Users\Admin\AppData\Local\Temp\eveqt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
51eb60591001633f51a3690f0d69b21c

SHA1
2c5ab7a2e840ff3b4a81c85dd668ff6908dd31b3

SHA256
00b3935a5e5c00cc5640df9e92aa90903353835e2e1371adcd507be48aa3bdf7

SHA512
de8273739713c511957d81e151d4109d17a9d7d6f5322bf166869ad8a8f90d38b96586523009d6bcf425c257709131de69a0fbbb99209b533eb330c73836a217

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3411521507d9eeb8bfac6ea1921a502c

SHA1
533f592251a725c69d806c859474f2f734edd82f

SHA256
0a31708200b8055b3ec04b285223704e4861ce8b04cc1bd0cbbc7df065b0154b

SHA512
afca2e7e7f7f907b4416d4f75db9d749580e0cfdbcbc501e050675220dbc102529b1a60c1d3de8f95d4c0db8eaf69f956fcac2dcf9303268b5dda4fd629140b5

Download Submit
\Users\Admin\AppData\Local\Temp\eveqt.exe

Filesize
172KB

MD5
9d9e2f818a38a9a48d4539409e91ff20

SHA1
4e0ac68e52549a48a8bb7ae0e466c283da7e6880

SHA256
932e73df5526f2af0bc9a1b56c1bed04b430250953d6801e2ca3ba91c13424fd

SHA512
938551be150713a72d43a2522f9b320690890fa7ddb687460de049ce65a501dd7c51a2c37832a6458c4774c2c2d87b5b2c113f51bd8f8297ce9504f1f60ad3e1

Download Submit
\Users\Admin\AppData\Local\Temp\locyo.exe

Filesize
333KB

MD5
276947ce129e032700ee8a1f168d8caf

SHA1
fb05547dfaeee2eda897dd7ed7f50042d6191faa

SHA256
4d26a73887dfad908d6add906ffc64262e1dc768f30335037cadd56dcb6773a9

SHA512
17890fb9a1256e2858ac674353be4639b4afb9a56b6c130f10732e7ea44bc6ff4c796154e9f83350449a8a16d184714eb602f0916978ba2ecbc21699c846afba

Download Submit
memory/1048-0-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/1048-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1048-10-0x0000000002170000-0x00000000021F1000-memory.dmp

Filesize
516KB

Download
memory/1048-19-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/2260-36-0x0000000003760000-0x00000000037F9000-memory.dmp

Filesize
612KB

Download
memory/2260-22-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/2260-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2260-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2260-40-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/2968-42-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2968-41-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2968-46-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2968-47-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2968-48-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2968-49-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2968-50-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download