urelas | c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe
Size

508KB
MD5

8c988034c138f1a4ab47d329561858b0
SHA1

89606697c62c89531e16f2944446ba8e7454d0f6
SHA256

c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33
SHA512

786582f45080c482cc105a7a9e70473b58d9a1e28c8712c94175fbdfe7a9114c873a6ab51ea9738b282e6b516980b83ec2e7d328c1f72f6adfec45cdfc9a89a4
SSDEEP

12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK5Wl:PMUv2LAv9AQ1p4dKAl

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	waxyc.exe
1212	ivovb.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe
2656	waxyc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waxyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivovb.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe
1212	ivovb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2656	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	30
PID 2432 wrote to memory of 2656	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	30
PID 2432 wrote to memory of 2656	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	30
PID 2432 wrote to memory of 2656	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	30
PID 2432 wrote to memory of 2676	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	31
PID 2432 wrote to memory of 2676	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	31
PID 2432 wrote to memory of 2676	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	31
PID 2432 wrote to memory of 2676	2432	c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe	31
PID 2656 wrote to memory of 1212	2656	waxyc.exe	34
PID 2656 wrote to memory of 1212	2656	waxyc.exe	34
PID 2656 wrote to memory of 1212	2656	waxyc.exe	34
PID 2656 wrote to memory of 1212	2656	waxyc.exe	34

C:\Users\Admin\AppData\Local\Temp\c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe
"C:\Users\Admin\AppData\Local\Temp\c64a982e271d889db4868885ba61582e3f1e49c68580f00716e4db6075883e33N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\waxyc.exe
  "C:\Users\Admin\AppData\Local\Temp\waxyc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\ivovb.exe
    "C:\Users\Admin\AppData\Local\Temp\ivovb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
419e7323ba1c338cc5416e27b85e1a54

SHA1
2cb39a428a267be036b146f62d4b5aec385ae634

SHA256
766d964b3ce9485d62bd702736257adf56beef1e4844e7f530df107d584bf0e0

SHA512
41faa18086e7c068849bd0f94d8308fd14e9201d687c3833223b1e55062e72e16acff1300a68e66ffef173d13e4921a99e58311087e824fa028915679fe129fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5d3cfa90927d5f7b5cf58fef66ab47d5

SHA1
4f92ae7dc8b5fe2cec6a2ce79bb593a8a20aadf5

SHA256
3015d2583e9563223f0bdf3da8d7a24de79d08a2ffc8cd81f6e12f99c8e0711a

SHA512
6baeba755a68e1c1ce4eaf27d8f99737652defa5dde05086594a9b1bb806276bd0b0f78e35f0cb1c8129d5d00988d021a80ac77df64af8a46ada712014cd5256

Download Submit
\Users\Admin\AppData\Local\Temp\ivovb.exe

Filesize
172KB

MD5
cdfdb9d9e5d6b528c88789ad86a56b8f

SHA1
54e47206b36dfc3fae7888c59c0f9e5685fe2a8b

SHA256
ef000aa743a80f45689bf32f2003e291db66070885d87cdf573faddaa433fedb

SHA512
b67a54ef317ce9b04429ddffe878cef81186d9f2a47318ed6c89a7d42eb0afc7c84077cb43e3b57f882a4347e42d334070dc6ff4f8b7f7395a07c0ae762097e3

Download Submit
\Users\Admin\AppData\Local\Temp\waxyc.exe

Filesize
508KB

MD5
7b37f27d01539f2bc612ad703fe40bc7

SHA1
0bea66b9185d1789c92534a15225470db174035e

SHA256
268be38b551e2f7f0dba2b910f344752774404e7ec51142a4d243f5e4b62e95e

SHA512
a12f527429b966b2b158057c9224e0280aaf4780575642b15daa617464cac6d3b04a1609ff6c6ad5ad429cef661d5514f87b2ad01758f1302aa783ad6e62e84c

Download Submit
memory/1212-37-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/1212-36-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/1212-40-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/1212-39-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/1212-38-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/1212-33-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/1212-34-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1212-30-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2432-18-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2432-0-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2432-8-0x0000000002400000-0x0000000002481000-memory.dmp

Filesize
516KB

Download
memory/2656-10-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2656-28-0x00000000041D0000-0x0000000004269000-memory.dmp

Filesize
612KB

Download
memory/2656-27-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2656-21-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download