urelas | 36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
Size

448KB
MD5

e6cdc9ca05f7d0d63b9a2e4547905566
SHA1

65ae2b56ed18ebb0d9454b768a49829d8298d72c
SHA256

36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c
SHA512

e2a1d3d93c5ba639b3e56d2094f1b3eb84f5506a4ced2383735b28a658b75cf542bae675d21b2ba40bf2e66aa4a96c08fff2f698647998c77cdb7c8d436780a3
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTF:CMpASIcWYx2U6hAJQnw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1028	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
624	sucux.exe
2436	zizaqu.exe
2604	bogud.exe

Loads dropped DLL 3 IoCs

pid	Process
1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
624	sucux.exe
2436	zizaqu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bogud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sucux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zizaqu.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe
2604	bogud.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 624	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	31
PID 1728 wrote to memory of 624	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	31
PID 1728 wrote to memory of 624	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	31
PID 1728 wrote to memory of 624	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	31
PID 1728 wrote to memory of 1028	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	32
PID 1728 wrote to memory of 1028	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	32
PID 1728 wrote to memory of 1028	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	32
PID 1728 wrote to memory of 1028	1728	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	32
PID 624 wrote to memory of 2436	624	sucux.exe	34
PID 624 wrote to memory of 2436	624	sucux.exe	34
PID 624 wrote to memory of 2436	624	sucux.exe	34
PID 624 wrote to memory of 2436	624	sucux.exe	34
PID 2436 wrote to memory of 2604	2436	zizaqu.exe	36
PID 2436 wrote to memory of 2604	2436	zizaqu.exe	36
PID 2436 wrote to memory of 2604	2436	zizaqu.exe	36
PID 2436 wrote to memory of 2604	2436	zizaqu.exe	36
PID 2436 wrote to memory of 1692	2436	zizaqu.exe	37
PID 2436 wrote to memory of 1692	2436	zizaqu.exe	37
PID 2436 wrote to memory of 1692	2436	zizaqu.exe	37
PID 2436 wrote to memory of 1692	2436	zizaqu.exe	37

C:\Users\Admin\AppData\Local\Temp\36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
"C:\Users\Admin\AppData\Local\Temp\36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\sucux.exe
  "C:\Users\Admin\AppData\Local\Temp\sucux.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\zizaqu.exe
    "C:\Users\Admin\AppData\Local\Temp\zizaqu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\bogud.exe
      "C:\Users\Admin\AppData\Local\Temp\bogud.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
5560d0df9d27572bb943cbc5841221f8

SHA1
14e8272fa2246456d0809f04b0aadfb1ac0562cb

SHA256
f67c5e3f45e2f3957c44d029307e0f2be00997f4183682d8df7d85433b5c4180

SHA512
26dc90180dea24edb0369496ebb2b878714ed5d42a244d3cd8a0b55178e592c3357dd10c9d10359cfd492a1151b3ea45a8e9c926daea8be4f25551f75dfc31bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4beca41eb2655dfff536fb13a801f882

SHA1
e22195a9b9fc0bbd5cb7c7686421113cddd2a9ee

SHA256
f71263249e41d5eaf29648040c302ec5e5306a0837f031af0f6db6691a22e060

SHA512
4c877257d8fb922a1cafde80f701e5e296aa6f9e2ce45e162fb97f49c43d6a57cb85224dcea01b90cde66897ab5c8571e06f78c29b9a08ad6ffff34057e69214

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1cbb4a0baf6cf7a4f49f8963525b435b

SHA1
0ad208ec8b7447d6cdc8219e3a2a262e64f0b30b

SHA256
7de3ee31de0ae3049ca93518632efb8e85ab7fa9d0a96735bfdfc31e602d841d

SHA512
2476dc3fbe0c002f04a188acbda1d7f7052d508ee58bcac79ef903a3c76e6365ab45531e2e7986f86e01a08e537d9ca3f89e0f8eb8948d421f75e82fc6d46276

Download Submit
C:\Users\Admin\AppData\Local\Temp\zizaqu.exe

Filesize
449KB

MD5
923b7ac23def2526b41993e7c185ac19

SHA1
1908298f4a36cc92b455d9e6a363fdde712dc0a6

SHA256
faa9f4d735c918de4f2c84b628fb9ff7410cd80febad82186ed10cca4c7aff02

SHA512
7cacedcbb46eb46fdf77b941196d85376aa762f7a466bf60120051bcf8efeb561fcf33c2cac07bf0c8b4e92f3df09dea9180861914ff6c421f78abb0143ef632

Download Submit
\Users\Admin\AppData\Local\Temp\bogud.exe

Filesize
223KB

MD5
1e331457bf0f45665215b89944bc9ef7

SHA1
87c2ddabed78fa639d640a10c2e782ade7deaaca

SHA256
801ca2982c022762f7561b173edd82e518b5ed590037150bbbd276b91acaf394

SHA512
9b8a44b86d2639e49921c6542290f8469fd2c5a1a845c98a2b4727628bb23082a6001a9c124670698f4b77372261b401501dfa90ebc929ef787a7523947bbf1f

Download Submit
\Users\Admin\AppData\Local\Temp\sucux.exe

Filesize
448KB

MD5
2ce363534f4f2b85c680189525bc6780

SHA1
b0cad2432f62b6b1ce6b1d87ab0e85fe67278054

SHA256
6d568f29d1d4960687471645b90b77aa6598d0f93af02e4016ca7f00e41a4c2c

SHA512
51265174b73e4fcd546d4ab16d5649e42ae8cccd29e3ecf6940ece791bb77636743f55d3f3295aa417ea08ca761e1675ec0bcd4b099568b75b0a0181e48708d7

Download Submit
memory/624-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/624-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/624-26-0x0000000003670000-0x00000000036DE000-memory.dmp

Filesize
440KB

Download
memory/1728-8-0x00000000006D0000-0x000000000073E000-memory.dmp

Filesize
440KB

Download
memory/1728-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1728-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2436-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2436-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2436-37-0x0000000003EB0000-0x0000000003F50000-memory.dmp

Filesize
640KB

Download
memory/2604-39-0x00000000002C0000-0x0000000000360000-memory.dmp

Filesize
640KB

Download
memory/2604-51-0x00000000002C0000-0x0000000000360000-memory.dmp

Filesize
640KB

Download
memory/2604-52-0x00000000002C0000-0x0000000000360000-memory.dmp

Filesize
640KB

Download
memory/2604-53-0x00000000002C0000-0x0000000000360000-memory.dmp

Filesize
640KB

Download
memory/2604-54-0x00000000002C0000-0x0000000000360000-memory.dmp

Filesize
640KB

Download
memory/2604-55-0x00000000002C0000-0x0000000000360000-memory.dmp

Filesize
640KB

Download