urelas | 56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
Size

326KB
MD5

7369bddc9ef2ce044b115923f47ca6e0
SHA1

6d5f2d34b544e6a95d3fd0198706f3e4bc13665b
SHA256

56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718
SHA512

8c2b11e4de1a1b24638eb6b95c38a8e41654015c76208b2eb912b4eab020135806b5d6a1cdcda1169fd713a5371cb3b192be5b1f71caa32afe7cfc0ae429bed6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYk:vHW138/iXWlK885rKlGSekcj66ciJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1796	rorea.exe
932	secyd.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
1796	rorea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rorea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secyd.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe
932	secyd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1796	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	30
PID 2064 wrote to memory of 1796	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	30
PID 2064 wrote to memory of 1796	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	30
PID 2064 wrote to memory of 1796	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	30
PID 2064 wrote to memory of 2528	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	31
PID 2064 wrote to memory of 2528	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	31
PID 2064 wrote to memory of 2528	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	31
PID 2064 wrote to memory of 2528	2064	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	31
PID 1796 wrote to memory of 932	1796	rorea.exe	34
PID 1796 wrote to memory of 932	1796	rorea.exe	34
PID 1796 wrote to memory of 932	1796	rorea.exe	34
PID 1796 wrote to memory of 932	1796	rorea.exe	34

C:\Users\Admin\AppData\Local\Temp\56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
"C:\Users\Admin\AppData\Local\Temp\56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\rorea.exe
  "C:\Users\Admin\AppData\Local\Temp\rorea.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\secyd.exe
    "C:\Users\Admin\AppData\Local\Temp\secyd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
075fd977af72e2c7e8027ca5a6c2a76d

SHA1
57e248e4348bfa5a2b6494ebfce31d4073c82a0b

SHA256
bb1b69cc6c30de91cbc31ddeec5efc71f172e4013933e98e92d0e2c9137f5fcf

SHA512
b661a441e0fa3638040ca79f0f1d42b03de2a601b030769ffbd9bf34373700f5123e19c8f16df424d8d9bdc440722783d0ee097e56d48d215732bb7106891633

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e56a75927aa4fd27807f9a72605cd9ef

SHA1
84243d79f484f8d6318e7ab8a2949b72ee2e8782

SHA256
6ddc9244c8566cb9153b73a12a30d7e7963b0eada3c8a20926b6d7ec5302231d

SHA512
99190cfe9e4cb888b5bfdb42dd8a2ad53ed22d1d4baba2e01a14ee76393e5c3cccd7bceac51954294611597a56a2926e1ab208ff996e1a76024c5d8ba50d1bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorea.exe

Filesize
326KB

MD5
3490979860f2848265fcff258f05d6f8

SHA1
aafa28ddd9c0472f48fdd02fa66d338ba52a1ffb

SHA256
f27e1138a13e8f721cf4b7e4a73fcfedd71ff49a1d09c25b60d7af30501ef4ce

SHA512
6a2b4da8ef15f2f3f52c41f52775ed437a8f604054ba6e9a39f9276b388b19eec556891f806a7d3aa2c43c01aa9cb854289dccb0d8fa2fd26ba9104a6d4e5a74

Download Submit
\Users\Admin\AppData\Local\Temp\secyd.exe

Filesize
172KB

MD5
386b51a4164a2515b8f4dd690dba5159

SHA1
6145e792af7d62afd9c5eefabce6c3d1c006737b

SHA256
bb457262c74ff4ceed690176cef42bc2267f35d99948cf44c454d640e4636699

SHA512
8bc67f675046bd4a111f33d4c0f72819cb1eeba73931b802763877ff837fbcb8d5616176080a8f74d525b3599d0e32b726e9e2995a6f667376e9982b3282abd6

Download Submit
memory/932-52-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/932-51-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/932-50-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/932-49-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/932-48-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/932-44-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/932-43-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/1796-24-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/1796-38-0x0000000003350000-0x00000000033E9000-memory.dmp

Filesize
612KB

Download
memory/1796-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1796-41-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/1796-11-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/1796-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000001020000-0x00000000010A1000-memory.dmp

Filesize
516KB

Download
memory/2064-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2064-9-0x00000000025B0000-0x0000000002631000-memory.dmp

Filesize
516KB

Download
memory/2064-21-0x0000000001020000-0x00000000010A1000-memory.dmp

Filesize
516KB

Download