urelas | 60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
Size

327KB
MD5

211974cb67a1ada8a164b7bd3529b0fc
SHA1

c2ce238eb3905d86339cc05ba995c28ee027de87
SHA256

60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae
SHA512

ad75fb7d6d998dd0b535c02e3067e0e21289a7c8e328c27d8329e2c31e3fc8739a8a27ee0e9cc2139da9a1d1115c668de77fcfff5f6988084f503fb7187b0271
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYn:vHW138/iXWlK885rKlGSekcj66ciu

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2664	lafob.exe
2824	hyfie.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
2664	lafob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lafob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyfie.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe
2824	hyfie.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2664	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	30
PID 2728 wrote to memory of 2664	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	30
PID 2728 wrote to memory of 2664	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	30
PID 2728 wrote to memory of 2664	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	30
PID 2728 wrote to memory of 2804	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	31
PID 2728 wrote to memory of 2804	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	31
PID 2728 wrote to memory of 2804	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	31
PID 2728 wrote to memory of 2804	2728	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	31
PID 2664 wrote to memory of 2824	2664	lafob.exe	34
PID 2664 wrote to memory of 2824	2664	lafob.exe	34
PID 2664 wrote to memory of 2824	2664	lafob.exe	34
PID 2664 wrote to memory of 2824	2664	lafob.exe	34

C:\Users\Admin\AppData\Local\Temp\60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
"C:\Users\Admin\AppData\Local\Temp\60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\lafob.exe
  "C:\Users\Admin\AppData\Local\Temp\lafob.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\hyfie.exe
    "C:\Users\Admin\AppData\Local\Temp\hyfie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d25a635a53142e2971e71acce13bcaa9

SHA1
22728a460175607a8f611ba21e6fe7501177ef3e

SHA256
d528732a39e62f4d98641fea8b15ae32a49dfcee78fbcfeea6d872ca07d7cfc5

SHA512
7c26ad1f319559c1c261eb808aa1faf1a103b4a02b21595ba311380c5d2f3ce12e3c3a1499e7d6fe36bebd0573eec3897f8faa1d52191475ed6604fd30c1d5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
20d1384f7929edd13b02168d3f6fc06d

SHA1
73cd811fa87f41dc1edd9f57ffaed30a97c9779f

SHA256
ecce1f8b9135e9e618092bd094f4eab3b025d3da88f7f5e49747abcd2867d7f3

SHA512
d697109aa5bc7be587d0012021d0c41cead5d201716c763b1d8e748a100cf9395acf91329ee8dd13f750d46a43391c66d2f85664d5eca1c4f871a77bf0560e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\lafob.exe

Filesize
327KB

MD5
fe9a46d79a23a85ccaff77de2f117ed3

SHA1
066b08f696b2dd14c95b1cf94d91f7492883df90

SHA256
b69f36923bc7a3a748c746342972738ca0e5fc87be78126c321b18cfa30297fe

SHA512
72dd5d474133448e2605bc3dfe82ad4081af1ea7f2099b599089f8be6d46c3df59fd949fcc4992afb6dad7b5f4ca94f37dca8ba9a365b77b8d5b40b7d496518c

Download Submit
\Users\Admin\AppData\Local\Temp\hyfie.exe

Filesize
172KB

MD5
c91d32bccbdb5a0b278d8c676f45b25c

SHA1
90a66e10c157931f905c0d4906669179d8a43e55

SHA256
97f0d62a0f5ef0d339794ae03218af5bf5cd6b50cafaf91adcaf0f0f3f937c0b

SHA512
cbfb5d36588c2f1237807c3093b1207602dcc8b015e0f9bd2d26fbce8a7e1c24d926db8494c1b8ebaa1bcd3f3a419d1e8c88bab8d96e3e1a0f59d5b69574182c

Download Submit
\Users\Admin\AppData\Local\Temp\lafob.exe

Filesize
327KB

MD5
1614ec785e38ac08d0b0ac47f967533b

SHA1
ff8b61ccd8fe847091559cfb5c0a07c19d61be74

SHA256
16cc66f411b15e73cfe6c731b11f132f0236b4d171decf3a48deb41c41fac7f1

SHA512
377d58f99059637336d5ab670df226bff28b51ae20fd7b13e10aac3c531090c72c795ad0352eabea0778e61fb8d29c793a64312812c9b712e4f11fec79e95316

Download Submit
memory/2664-25-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/2664-41-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/2664-12-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/2664-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2664-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2728-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2728-21-0x0000000000FE0000-0x0000000001061000-memory.dmp

Filesize
516KB

Download
memory/2728-10-0x0000000002990000-0x0000000002A11000-memory.dmp

Filesize
516KB

Download
memory/2728-0-0x0000000000FE0000-0x0000000001061000-memory.dmp

Filesize
516KB

Download
memory/2824-43-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/2824-42-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/2824-48-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/2824-49-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/2824-50-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/2824-51-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/2824-52-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download