urelas | b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Size

332KB
MD5

1024d773fc47520c1454b600cdfee860
SHA1

7cb1ce05b8c60995daa64416b925426f139ea134
SHA256

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1
SHA512

60a3f88d1c6403e58d391bbb9534b06aa5c928b1fea3d62b39927dda85f4186b59b6b3ee709bcc8339ba2309a969fe3ecd281e43877068069c5f5391704e6a7c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1316	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2332	dofij.exe
2680	nozuh.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
2332	dofij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dofij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nozuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe
2680	nozuh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2332	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 2036 wrote to memory of 2332	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 2036 wrote to memory of 2332	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 2036 wrote to memory of 2332	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 2036 wrote to memory of 1316	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	32
PID 2036 wrote to memory of 1316	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	32
PID 2036 wrote to memory of 1316	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	32
PID 2036 wrote to memory of 1316	2036	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	32
PID 2332 wrote to memory of 2680	2332	dofij.exe	34
PID 2332 wrote to memory of 2680	2332	dofij.exe	34
PID 2332 wrote to memory of 2680	2332	dofij.exe	34
PID 2332 wrote to memory of 2680	2332	dofij.exe	34

C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
"C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\dofij.exe
  "C:\Users\Admin\AppData\Local\Temp\dofij.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\nozuh.exe
    "C:\Users\Admin\AppData\Local\Temp\nozuh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
04a7bfa8eb94ca946e1a890cc85ebfa6

SHA1
f9cd3e2f86e97ac420219e2fba3787684910607f

SHA256
a25689378fb74347ddc425110ed6f13f5a10787ba1913001946839a8953a972d

SHA512
b7fda068921b8ceebc1a74afd9a5e1ca9e3fbc60b9054c92afe9fa88293561894ef67f8e7cbe8abbe86bcef98350a803b9450eb6cf051b57433a4d4b6b67bc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f3b9f646776b9e716dce384ec23ad694

SHA1
1434d99e3ee3dc3d773836d2736e35728c3c1791

SHA256
e48ae4c57048eea62de2e4c041fc67fd28c0042e36a6c8c0c8cb8575dd9c5e53

SHA512
1566211d5910967599b5272b9f39651298d11798223d32b5fd76b4fc6124219faeafa5c34eaef73784e6124ea9bce4001c77a6a23bc8b459e0bfb66689e0af74

Download Submit
\Users\Admin\AppData\Local\Temp\dofij.exe

Filesize
332KB

MD5
2a88523114b54028ea9a8c0c795b617c

SHA1
57d36ce18294a22b8c601b61ff402768b71abba5

SHA256
d1f530610db7e90675ad45fbb333fbc33621dd9dbb20171b4f6a95871b12385e

SHA512
d8754ec6d1f5fe1adf8afbf74ae3b10c2e1d27d61ff3f7f6a5ac7415fabde7f8cb642d54789d40a45e7037e9a7de1dd77a7018e564f0bf291c5514a3b7ca021a

Download Submit
\Users\Admin\AppData\Local\Temp\nozuh.exe

Filesize
172KB

MD5
c072b362f273091bbc58d5e900472477

SHA1
0aefb73700846c82cbc3e90091e8cd49e06af506

SHA256
c92fbd7a97e4d457ef5f4f803371b98f076f68153651c77063d5f97692af3ea1

SHA512
263bb4a5f47b6376445c78c60d9f56791e85a54fc711bd54aa451efa38678208a3516a1731f67824ad822a4dec447b8aef690d28698ea637b756a5bea34e317a

Download Submit
memory/2036-0-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/2036-9-0x00000000021A0000-0x0000000002221000-memory.dmp

Filesize
516KB

Download
memory/2036-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2036-20-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/2332-23-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2332-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2332-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2332-11-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2332-36-0x0000000003220000-0x00000000032B9000-memory.dmp

Filesize
612KB

Download
memory/2332-41-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2680-42-0x00000000013B0000-0x0000000001449000-memory.dmp

Filesize
612KB

Download
memory/2680-43-0x00000000013B0000-0x0000000001449000-memory.dmp

Filesize
612KB

Download
memory/2680-47-0x00000000013B0000-0x0000000001449000-memory.dmp

Filesize
612KB

Download
memory/2680-48-0x00000000013B0000-0x0000000001449000-memory.dmp

Filesize
612KB

Download
memory/2680-49-0x00000000013B0000-0x0000000001449000-memory.dmp

Filesize
612KB

Download
memory/2680-50-0x00000000013B0000-0x0000000001449000-memory.dmp

Filesize
612KB

Download
memory/2680-51-0x00000000013B0000-0x0000000001449000-memory.dmp

Filesize
612KB

Download