urelas | 8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038

Analysis

max time kernel
149s
max time network
79s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Size

331KB
MD5

9f78b4660bf589e6368eca545febc800
SHA1

edb884285f8a54ac6ba85d3e7204b3425e1eadfb
SHA256

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038
SHA512

aad9405ef2f393d6ab62e0e09c97d1cd2a27fb1ed028a4dc154c2403529d6fce8a5f1a8acad7acb3aaff9ceb5dfe021bea27d4042269fb7c0b6604fbe99222e2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVJG:vHW138/iXWlK885rKlGSekcj66ciEQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	cyejw.exe
2924	rioli.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
2776	cyejw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyejw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rioli.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe
2924	rioli.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2776	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2332 wrote to memory of 2776	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2332 wrote to memory of 2776	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2332 wrote to memory of 2776	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2332 wrote to memory of 2968	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	31
PID 2332 wrote to memory of 2968	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	31
PID 2332 wrote to memory of 2968	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	31
PID 2332 wrote to memory of 2968	2332	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	31
PID 2776 wrote to memory of 2924	2776	cyejw.exe	33
PID 2776 wrote to memory of 2924	2776	cyejw.exe	33
PID 2776 wrote to memory of 2924	2776	cyejw.exe	33
PID 2776 wrote to memory of 2924	2776	cyejw.exe	33

C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
"C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\cyejw.exe
  "C:\Users\Admin\AppData\Local\Temp\cyejw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\rioli.exe
    "C:\Users\Admin\AppData\Local\Temp\rioli.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cce5db9a9c3927a00964efd0d09ee9fb

SHA1
2ecbcdb5b55724f97823b0585acb44c5d45afd24

SHA256
5a7d5053843c15912e8092a229ab9243d7859c365454769b3a7203fc1c45ce29

SHA512
17c1da65199112e71fea987b160560836348d55e401706195ac958d5a2994b19900aaa8d13895f2601bc76c05dd610fd7659be5a8eadbb760f3c9f42b7a52f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e38b162ef6d2cd1b3aa64ec7a2445586

SHA1
2618865bf7fe595469c5d9fc200e2443d682bcca

SHA256
e16ca4a9c5b923269f485c0cbaa32ff31975927c09485a2ac4f071592ce890ca

SHA512
ca4d86fcb079996dcf3202d71ed15de4b9d682ab442eb18a43558b9c93519affa7d08a5b3ac98825c54b9733002dbac47d9b7cd8a85f7254f941571c1689ad69

Download Submit
\Users\Admin\AppData\Local\Temp\cyejw.exe

Filesize
331KB

MD5
10862489c14e0490b52c8f7c6652d772

SHA1
83eec3d7c8e525d4db685a0f0b2791453a2057cb

SHA256
1f60e80526b9d853c3874369d5e5c82f040fdfad97183deabb2acbaa8402570b

SHA512
0a93294dcd965a1a37a278d5b29d06eb595f25024f7f2a09ba9862c9df6177feb18a70d0ebf405ee385bb754cdbd041a01781ab3eaa2fe0960794c96f0ee25ed

Download Submit
\Users\Admin\AppData\Local\Temp\rioli.exe

Filesize
172KB

MD5
e43afd2da25b2eabc751051b37b72dae

SHA1
316e2997a2b5f534ea0df2a9882e0c5227c27803

SHA256
d1344e3fdecb33932ebcf12f809cc75383324e8519a08b07f1fd5fe3e82f1ee2

SHA512
6b04d24faf432e7fffe4d7591ad381ccd1e662d964be5b78633776ae52832811ef9b92ca000b4905604d23514bda9a7e8219958a1bbe816a9e986e6cb27dae55

Download Submit
memory/2332-9-0x00000000010A0000-0x0000000001121000-memory.dmp

Filesize
516KB

Download
memory/2332-19-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2332-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2332-0-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2776-40-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/2776-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2776-23-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/2776-35-0x00000000036D0000-0x0000000003769000-memory.dmp

Filesize
612KB

Download
memory/2776-17-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/2924-42-0x00000000000D0000-0x0000000000169000-memory.dmp

Filesize
612KB

Download
memory/2924-41-0x00000000000D0000-0x0000000000169000-memory.dmp

Filesize
612KB

Download
memory/2924-46-0x00000000000D0000-0x0000000000169000-memory.dmp

Filesize
612KB

Download
memory/2924-47-0x00000000000D0000-0x0000000000169000-memory.dmp

Filesize
612KB

Download
memory/2924-48-0x00000000000D0000-0x0000000000169000-memory.dmp

Filesize
612KB

Download
memory/2924-49-0x00000000000D0000-0x0000000000169000-memory.dmp

Filesize
612KB

Download
memory/2924-50-0x00000000000D0000-0x0000000000169000-memory.dmp

Filesize
612KB

Download