urelas | 89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe
Size

592KB
MD5

16acf12d33e939e05ff7d58ea575ed07
SHA1

1b8eab1affb80af01998ee11509c55191f8ca12b
SHA256

89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6
SHA512

5b1f0f6a875e3a961e2ae3bf287acbda92259ff781feab39f0a3e8891f648a960f121a6499aa042396e9203cf9ecc2ebbfea384f368a583efa25dcf53018aad0
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRP:C4jm0Sat7Az/gZvTIq2WKkw0FN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2896	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

raogt.exebelyu.exe

pid	Process
1956	raogt.exe
2640	belyu.exe

Loads dropped DLL 3 IoCs

Processes:

89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exeraogt.exe

pid	Process
1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe
1956	raogt.exe
1956	raogt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

belyu.exe89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exeraogt.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	belyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raogt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

belyu.exe

pid	Process
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe
2640	belyu.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exeraogt.exe

description	pid	Process	procid_target
PID 1352 wrote to memory of 1956	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	30
PID 1352 wrote to memory of 1956	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	30
PID 1352 wrote to memory of 1956	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	30
PID 1352 wrote to memory of 1956	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	30
PID 1352 wrote to memory of 2896	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	31
PID 1352 wrote to memory of 2896	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	31
PID 1352 wrote to memory of 2896	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	31
PID 1352 wrote to memory of 2896	1352	89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe	31
PID 1956 wrote to memory of 2640	1956	raogt.exe	34
PID 1956 wrote to memory of 2640	1956	raogt.exe	34
PID 1956 wrote to memory of 2640	1956	raogt.exe	34
PID 1956 wrote to memory of 2640	1956	raogt.exe	34

C:\Users\Admin\AppData\Local\Temp\89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe
"C:\Users\Admin\AppData\Local\Temp\89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\raogt.exe
  "C:\Users\Admin\AppData\Local\Temp\raogt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\belyu.exe
    "C:\Users\Admin\AppData\Local\Temp\belyu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
14cb2d56339f549aec3e7a9fac4f0eaf

SHA1
24c7ec553e4aa243be3047329cd58cb19188b0da

SHA256
9de7171d88e19cb3214b389c926ced7fdea69b5056b80bbccb27f3835b7c70ed

SHA512
8c858747dcf7a173e7165578e25255f6633f9096f095ad34c13344d9b85d7586c2b40664d5a30979ca10876f9abe590559cc601a1d1e6c8044eeab390bbdb766

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bc019d19a9e8a94590d8c38091465ab7

SHA1
4813cc5654993c843a52c0dbfe834538bd52a028

SHA256
d59f0891c95042173f52aa49fb1732c3b1d9493c1626797a277b264132f8a8e2

SHA512
c668a8430fb7c1faaf978683838d4f4138d3ed6b9d6cac54debc9d6dab172913ffda9c1d002da72f6c3a3a3903d2f3dc31a62e10e492d4f8299f3af08737347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\raogt.exe

Filesize
592KB

MD5
21b805e0f122433a31b5842ef9e3a407

SHA1
237b213c32dfc599f1483e3c85e755d5e6f953db

SHA256
d107fd4da73f9c539d2ceaaf11d015a882f07e72fcb1ac5875c18840252418fd

SHA512
f4eddcd4b6f3709f733fa7f13e59cdb55d038f4690127dcdaff887013643d755b48f728beca93f4e97f919036a6ecd07029b099b4a4a3b962af99349a3d33cfb

Download Submit
\Users\Admin\AppData\Local\Temp\belyu.exe

Filesize
323KB

MD5
4754e61de6897925b2515f787dea9ef1

SHA1
08afe86266e0da24b7722bc8c5b118973e982527

SHA256
4244de655a630170c279dbc7d783649ba1a7df1ab8611cd48fbc4dc86cce5cbf

SHA512
c720078afe700c235c3eb448d76bf891d881a32bf93a369550fe90df73913e8e4ffbdb658688566f261424b3647771c23bfa425b7b948388f5471c422515ebd5

Download Submit
\Users\Admin\AppData\Local\Temp\raogt.exe

Filesize
592KB

MD5
16c2bbdf6493dac39610f07c60d32e99

SHA1
82c0c552beed7ed539e97461dcdc3e0568926c9e

SHA256
51ca4faf9e9f0d14d1d25c54648d195603abf14a8f665d3e13690b6ce6a4a53c

SHA512
f07098b304dca0bd3a54675a07e71adbcc36b1787776f8905f661553f343e2573b3392a1136a32008066b0c357506946ec5fbb6621a3494c62e5341f6b07a099

Download Submit
memory/1352-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-24-0x0000000003D50000-0x0000000003DE7000-memory.dmp

Filesize
604KB

Download
memory/2640-30-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2640-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2640-34-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2640-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2640-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2640-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2640-37-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2640-38-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download