urelas | c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe
Size

328KB
MD5

7278c271c2eef03467db27313917b658
SHA1

9629d2d11c22a6da39b2640759db5466900fdece
SHA256

c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44
SHA512

0a71c83047f23e4e451e9df2ce188bd6ea9f41e446b1add9e48118584c76d54cde3ad6252d38fcc4071e15e2bc6f2e0f5f1165112febe15b7d6022c1d2babf39
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMO0B:vHW138/iXWlK885rKlGSekcj66ciRB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	ricao.exe
2884	muawy.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe
2824	ricao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ricao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muawy.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe
2884	muawy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2824	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	30
PID 2028 wrote to memory of 2824	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	30
PID 2028 wrote to memory of 2824	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	30
PID 2028 wrote to memory of 2824	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	30
PID 2028 wrote to memory of 2720	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	31
PID 2028 wrote to memory of 2720	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	31
PID 2028 wrote to memory of 2720	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	31
PID 2028 wrote to memory of 2720	2028	c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe	31
PID 2824 wrote to memory of 2884	2824	ricao.exe	33
PID 2824 wrote to memory of 2884	2824	ricao.exe	33
PID 2824 wrote to memory of 2884	2824	ricao.exe	33
PID 2824 wrote to memory of 2884	2824	ricao.exe	33

C:\Users\Admin\AppData\Local\Temp\c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe
"C:\Users\Admin\AppData\Local\Temp\c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\ricao.exe
  "C:\Users\Admin\AppData\Local\Temp\ricao.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\muawy.exe
    "C:\Users\Admin\AppData\Local\Temp\muawy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3cf7fca461b272356871b22b0d6e9eea

SHA1
4f689d27d037d48e82c7ba213695752badc827a5

SHA256
a27fea47043be1d32f2e20feb1e66819f89eec3ac0288ace69885f47143aa31c

SHA512
ed5e1bce5d3b888ed948b61f6946f6cadacf010a8b6c43c12873669d9fabeed006c9b0f13bc6640fdbef4db99de23f86a3e2a7fd6c6ca87f6801ee2accedbdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5be239b29d61c2307e53826d1f1a434d

SHA1
eb7a0b2e809bd3af1d623bc33920691a023de346

SHA256
377d62dc63200123eba8082c66ea3e17a4b3a5af76c51a467de33326dd8f824b

SHA512
9051ce0985567edb6ee154dbda10c8aa2c90997b673af135e858613ec7d59e4427fdc9030cf2dd0ee87bf86307d485ffe6e022f87d67cba42caf370d678d7825

Download Submit
\Users\Admin\AppData\Local\Temp\muawy.exe

Filesize
172KB

MD5
cdbb6aefea171fa3072093ed1d7c1301

SHA1
c90c8907a69154f2df0be0cd3d1660363cd4b365

SHA256
5f672cbd21410cb5bba8e9fbba807c6aba7c8f284539509a91cceaba5fedb20b

SHA512
6d21d866a4485c9b1e8fae5f75054e26f24e7b02586858c00761272e077009ea5bf59ff8c2aab8aacecde6b7f06fed6f92bf3b91e42261eaa80c63cbbdb09c7e

Download Submit
\Users\Admin\AppData\Local\Temp\ricao.exe

Filesize
328KB

MD5
a9f33d888399c20a2e0f70700c0c4d2a

SHA1
364a74b89e5f9a2c2d694e6830ab67d4d0d972f1

SHA256
4b4e4ecd0adf85cf3bf439556eb254c765f48945fd7361c3758ae25aa013674e

SHA512
24c938f11e1d7540216e2a61e1149cd88aec278294961b3b8ca30f24797d85dded1e366b146cd4f92f757d75ade5c31fb12ca9a96c2bebbecc58bd665ccb7827

Download Submit
memory/2028-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2028-0-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/2028-33-0x0000000002B10000-0x0000000002B91000-memory.dmp

Filesize
516KB

Download
memory/2028-19-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/2028-17-0x0000000002B10000-0x0000000002B91000-memory.dmp

Filesize
516KB

Download
memory/2824-24-0x00000000013B0000-0x0000000001431000-memory.dmp

Filesize
516KB

Download
memory/2824-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2824-20-0x00000000013B0000-0x0000000001431000-memory.dmp

Filesize
516KB

Download
memory/2824-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2824-43-0x00000000013B0000-0x0000000001431000-memory.dmp

Filesize
516KB

Download
memory/2824-40-0x00000000033C0000-0x0000000003459000-memory.dmp

Filesize
612KB

Download
memory/2884-47-0x0000000001060000-0x00000000010F9000-memory.dmp

Filesize
612KB

Download
memory/2884-44-0x0000000001060000-0x00000000010F9000-memory.dmp

Filesize
612KB

Download
memory/2884-49-0x0000000001060000-0x00000000010F9000-memory.dmp

Filesize
612KB

Download
memory/2884-50-0x0000000001060000-0x00000000010F9000-memory.dmp

Filesize
612KB

Download
memory/2884-51-0x0000000001060000-0x00000000010F9000-memory.dmp

Filesize
612KB

Download
memory/2884-52-0x0000000001060000-0x00000000010F9000-memory.dmp

Filesize
612KB

Download
memory/2884-53-0x0000000001060000-0x00000000010F9000-memory.dmp

Filesize
612KB

Download