urelas | 28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe
Size

329KB
MD5

7e785f9f8b569204008edd4f0d9839c3
SHA1

daaef1ae66676b19ee118dca0e998d5557d3f30f
SHA256

28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62
SHA512

1f370081d8ddfbb44211087946c74a4d58a5814feb7bdedb3f31d39205106922c255b2150d00653c5116b04cbe25a8636ab04de9a9cccbf407ba8cffcc52a849
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOR:vHW138/iXWlK885rKlGSekcj66cii

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2260	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2088	qysyc.exe
2672	fyrir.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe
2088	qysyc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qysyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fyrir.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe
2672	fyrir.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2088	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	30
PID 2092 wrote to memory of 2088	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	30
PID 2092 wrote to memory of 2088	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	30
PID 2092 wrote to memory of 2088	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	30
PID 2092 wrote to memory of 2260	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	31
PID 2092 wrote to memory of 2260	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	31
PID 2092 wrote to memory of 2260	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	31
PID 2092 wrote to memory of 2260	2092	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	31
PID 2088 wrote to memory of 2672	2088	qysyc.exe	34
PID 2088 wrote to memory of 2672	2088	qysyc.exe	34
PID 2088 wrote to memory of 2672	2088	qysyc.exe	34
PID 2088 wrote to memory of 2672	2088	qysyc.exe	34

C:\Users\Admin\AppData\Local\Temp\28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe
"C:\Users\Admin\AppData\Local\Temp\28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\qysyc.exe
  "C:\Users\Admin\AppData\Local\Temp\qysyc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\fyrir.exe
    "C:\Users\Admin\AppData\Local\Temp\fyrir.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
559343e429ba4ff497d5d33e6114f5ea

SHA1
0417c432be9e15544b2ab06c65c34160bcf78e21

SHA256
6b8561a4d1330263ab8cd9254adf5fd88b211eb9f95dca7cd3a82cac45a65645

SHA512
c40cdcda24500fddd0515f7c50a0dab44da5ceb7ca4601dd4b8336ed79ffec3708583ee5dce5b3a5954e8e68de9ce032fdd23a8235dc6a4334d470f120102ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ac28d7d8dfdc4b837f35ba86f17b8d50

SHA1
dd90f6159d0af26265c97b6cfcbefde05f8d5e3a

SHA256
4c1e28727c70b3ab01ae2e2bab22538c8f7566a3933232a470af067248720dd1

SHA512
c0a072efb4e6bc15fb4e97ecd03a67d767721e650fbee48e1a44c8c248094c53b7d3305b8f078b37020e349bc8886049699b8ffa3cb271d663f940b2a68bb4f1

Download Submit
\Users\Admin\AppData\Local\Temp\fyrir.exe

Filesize
172KB

MD5
0b52355ad1dd9327cadeedf819a09bcd

SHA1
c9ee6c4c09883fbde20b680b7756062099498042

SHA256
405f2c7480d9e5bf56b9784d7ca3a8e8b8cad097a4a259fdc037fb23c13fd0cf

SHA512
f1c63ee5b9b653070e23ca839f9524b184ff7194a7717a9ca4f047e42cd71906ba30d7f2ce92185b1cb273fe02cc555a1272961a15379ec784ddac2182b9e8bf

Download Submit
\Users\Admin\AppData\Local\Temp\qysyc.exe

Filesize
329KB

MD5
5ea4eca0a8641c611045edd88a294e33

SHA1
141f4a5e20568581ae7d166ea8cdef9bf6405576

SHA256
815f782249f583e338d2eb15a3f5ca325fc7f7fc76bb02161de9b37b45599ea7

SHA512
f167f64eea1550667deaf250ca315a97d9b339cbcca7bebb9cefd437577ee3f5973f17b1fbb97bb4b5a8744b455ba0b059c927c8eb3796a11d6cddebe4f319b0

Download Submit
memory/2088-23-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2088-41-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2088-18-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2088-37-0x0000000003400000-0x0000000003499000-memory.dmp

Filesize
612KB

Download
memory/2088-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2088-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2092-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2092-0-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2092-20-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2092-17-0x0000000001040000-0x00000000010C1000-memory.dmp

Filesize
516KB

Download
memory/2672-43-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2672-42-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2672-47-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2672-48-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2672-49-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2672-50-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2672-51-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download