urelas | fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe
Size

326KB
MD5

db3ef99e9fb2072690240efd726fafd5
SHA1

6995f9f7d27d7485c13a781e12466b4dd258d58c
SHA256

fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da
SHA512

1af6e04d2128b3b5d4ac089e4519de22a9e3da3f08c05376678c16bf960a7c8d1aa866bf0ea81e6d5a00e1c806363b0392d3f74173865b4c67cfa84255d64477
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYO:vHW138/iXWlK885rKlGSekcj66ciP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	ceqie.exe
2328	bucat.exe

Loads dropped DLL 2 IoCs

pid	Process
2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe
3028	ceqie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bucat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceqie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe
2328	bucat.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3028	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	31
PID 2104 wrote to memory of 3028	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	31
PID 2104 wrote to memory of 3028	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	31
PID 2104 wrote to memory of 3028	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	31
PID 2104 wrote to memory of 2780	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	32
PID 2104 wrote to memory of 2780	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	32
PID 2104 wrote to memory of 2780	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	32
PID 2104 wrote to memory of 2780	2104	fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe	32
PID 3028 wrote to memory of 2328	3028	ceqie.exe	34
PID 3028 wrote to memory of 2328	3028	ceqie.exe	34
PID 3028 wrote to memory of 2328	3028	ceqie.exe	34
PID 3028 wrote to memory of 2328	3028	ceqie.exe	34

C:\Users\Admin\AppData\Local\Temp\fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe
"C:\Users\Admin\AppData\Local\Temp\fd92d9fd78bf724c048480a7578e8d4bb6ff73465865b4336d6f75d2f7da38da.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\ceqie.exe
  "C:\Users\Admin\AppData\Local\Temp\ceqie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\bucat.exe
    "C:\Users\Admin\AppData\Local\Temp\bucat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
589afcdf046a6c05693d6221cb1d8e92

SHA1
efe4c3b97e770255ccf600881bdc1a2dac5a1b1d

SHA256
1f4e709fb783dfb83f58fb98bd7db82f27513a4e0d3c5088d051cc28ab0676cb

SHA512
b19c9878ed0ae19f9d351946c7ff48fbf429bb0f869a4a1f35918ad61b3509b398b1c74d203f42f2b990768e4bec1746430ec8514d990d7f6393b011f694c49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0f19531d6c980b4ca6121ec9146cd7bf

SHA1
40fef1595bf849ed7036490391830ea27686d5eb

SHA256
be24849b6385541f7f29cc7e70f860f68a9f5ba98ac515a70e1fed914b21d74a

SHA512
4c06e75ac1d3f0cdcf926d2a936817ea35ec3eda88e29330ac1f7a37e2e96e72ac06aff1f7df9a6cc4e04d431127ab2804ccbf902e041fa7b117f0bb87a9f72b

Download Submit
\Users\Admin\AppData\Local\Temp\bucat.exe

Filesize
172KB

MD5
049ae741a11d1fa271193484dbec8fb9

SHA1
c4de01b85245f54448805e934d79b1d25c695352

SHA256
1a7442e52f3efc2e5f08e8d7bdfc6e0509d6879e29e68a5b052eedbc410a91d6

SHA512
79067817f8d94f7d1fbb415d2b1759be33f1ce5569609c8244ef97da0c2411b348f5bbef6bbf4fee7ecec1f27b488eb5ccbcfb1c208a5c1fde52c6e31b8ced39

Download Submit
\Users\Admin\AppData\Local\Temp\ceqie.exe

Filesize
326KB

MD5
da5838428b2a5d82a0f25d93219a5d7a

SHA1
cac7d31ae600d88bcae70fdb9ebd27a9e20e435c

SHA256
18bf9823cc9a6672110a0e33a537a069b37c6376dff571b943361f3369d9fb52

SHA512
290d02e449cc52e24fc02d4e62f403a0e7680408a6d20fb4622e6a02d490d145eb3050c31d64512c137066a225d4752bf6c6f4df66895738f0a64a2f313757f7

Download Submit
memory/2104-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2104-21-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2104-10-0x00000000026E0000-0x0000000002761000-memory.dmp

Filesize
516KB

Download
memory/2104-0-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2328-51-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/2328-47-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/2328-50-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/2328-49-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/2328-42-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/2328-48-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/2328-43-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/3028-11-0x0000000000B10000-0x0000000000B91000-memory.dmp

Filesize
516KB

Download
memory/3028-40-0x0000000000B10000-0x0000000000B91000-memory.dmp

Filesize
516KB

Download
memory/3028-24-0x0000000000B10000-0x0000000000B91000-memory.dmp

Filesize
516KB

Download
memory/3028-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3028-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download