urelas | a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Size

335KB
MD5

32b6decf1f8f55af9dc2a48997ebf910
SHA1

b19a9b5476ec7afa01a63083dea8961119652928
SHA256

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482
SHA512

d2a82fae0b0621190260475b39f2d040cee0c25f302f5a4f60c164accfdad26d07b8df1cf408588f93769a1b56d12aa167200ef9880795794dd6d669ba14dced
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2204	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	jukuc.exe
1820	izfoh.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
2344	jukuc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jukuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izfoh.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe
1820	izfoh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2344	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	30
PID 3040 wrote to memory of 2344	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	30
PID 3040 wrote to memory of 2344	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	30
PID 3040 wrote to memory of 2344	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	30
PID 3040 wrote to memory of 2204	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	31
PID 3040 wrote to memory of 2204	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	31
PID 3040 wrote to memory of 2204	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	31
PID 3040 wrote to memory of 2204	3040	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	31
PID 2344 wrote to memory of 1820	2344	jukuc.exe	34
PID 2344 wrote to memory of 1820	2344	jukuc.exe	34
PID 2344 wrote to memory of 1820	2344	jukuc.exe	34
PID 2344 wrote to memory of 1820	2344	jukuc.exe	34

C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
"C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\jukuc.exe
  "C:\Users\Admin\AppData\Local\Temp\jukuc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\izfoh.exe
    "C:\Users\Admin\AppData\Local\Temp\izfoh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9a048aa325b4689fdcfd1e04de51f69b

SHA1
5072d2a39083b15bceb55a02483f35eda0ad9150

SHA256
e99675057f0b5161be35b2ee5baf34c89f00962c77ab2307860014e46e890727

SHA512
5e66b9da190a61c7814fc2961f6135a15a53a975fb2fef3cd1957cbd9541c4b8acaf37bd0ef479e7be898813460692a02c4618d8de699a166365e11b15d3ac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a6f0d474f8af69abccabe1ddae8234df

SHA1
35d0be7646820aabf00cfc60c984813843b1bca1

SHA256
7e94767a8d35ad3cf7946bb406785378789d5644b75438bbe19e6a60b1f87791

SHA512
673a3925ee1e714d1b6eb3de3bdd6184ac01f9e57f00ccea8454abedb26f6f8e814c7af631bcee1026987559e2d1648b3444bd443b987bf6e56f5ad2db469431

Download Submit
C:\Users\Admin\AppData\Local\Temp\izfoh.exe

Filesize
172KB

MD5
049ae741a11d1fa271193484dbec8fb9

SHA1
c4de01b85245f54448805e934d79b1d25c695352

SHA256
1a7442e52f3efc2e5f08e8d7bdfc6e0509d6879e29e68a5b052eedbc410a91d6

SHA512
79067817f8d94f7d1fbb415d2b1759be33f1ce5569609c8244ef97da0c2411b348f5bbef6bbf4fee7ecec1f27b488eb5ccbcfb1c208a5c1fde52c6e31b8ced39

Download Submit
\Users\Admin\AppData\Local\Temp\jukuc.exe

Filesize
335KB

MD5
271fd9befd1bac5dc77ed26e4ac5db6c

SHA1
e903ed008d45d039c04513ca4e6279679d3c8d61

SHA256
750d6011fec904a8772a554cf56f41f90ab89c43a22bfc84c4cbd215a9e1beb1

SHA512
d5b0a392904930ed49998dcd9dc331cde415a016572da6debbaa96246755f7f89b2d29dc5553f0f6b2c1c25727e6cbd70c3e072421e820ffc3d4a96ac2594295

Download Submit
memory/1820-51-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1820-50-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1820-49-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1820-48-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1820-47-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1820-42-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1820-43-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/2344-11-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/2344-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2344-24-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/2344-41-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/2344-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3040-20-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/3040-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3040-10-0x0000000002490000-0x0000000002511000-memory.dmp

Filesize
516KB

Download
memory/3040-0-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download