urelas | cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe
Size

332KB
MD5

a483e212eee2562eaef4759e146545dd
SHA1

58bf3dc2c9c6bf219429752eecc5b79ffe64599e
SHA256

cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502
SHA512

2c38a5960a8f02785d4a016eb841f8ae3206416bcd1402e043075cd4151260a95363fc19cd63aa8eaa075ffa949ee471d895159119cc6836d2c7dbc233af34b7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY0:vHW138/iXWlK885rKlGSekcj66ciJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	tuhaa.exe
2340	peyvo.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe
2696	tuhaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuhaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peyvo.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe
2340	peyvo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2696	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	31
PID 3052 wrote to memory of 2696	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	31
PID 3052 wrote to memory of 2696	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	31
PID 3052 wrote to memory of 2696	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	31
PID 3052 wrote to memory of 2704	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	32
PID 3052 wrote to memory of 2704	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	32
PID 3052 wrote to memory of 2704	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	32
PID 3052 wrote to memory of 2704	3052	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	32
PID 2696 wrote to memory of 2340	2696	tuhaa.exe	35
PID 2696 wrote to memory of 2340	2696	tuhaa.exe	35
PID 2696 wrote to memory of 2340	2696	tuhaa.exe	35
PID 2696 wrote to memory of 2340	2696	tuhaa.exe	35

C:\Users\Admin\AppData\Local\Temp\cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe
"C:\Users\Admin\AppData\Local\Temp\cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\tuhaa.exe
  "C:\Users\Admin\AppData\Local\Temp\tuhaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\peyvo.exe
    "C:\Users\Admin\AppData\Local\Temp\peyvo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
05fad4023643934edb845cd4f0e35074

SHA1
af4bb724c2697da130488152475135de2aa24c4d

SHA256
17c5f570e988f0efa42e0be213fc971821ed9a18bbaab104ff8e885a189daab7

SHA512
28d0ded44e49d3dd1f81d30be3307259c9e3d9af44631ee0723dd73c323d1077b1da64e8f36768ee534c515aed51b47a1a5e1fd47af50878578faf4c53bee816

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8b8338d3c4ec500bc6c5c5f19fe6dae2

SHA1
a3ec6e2313bd89949fa6f3f15331002826c66d08

SHA256
f2a39d4a8dab191860b1561f127a0c8663ca76c20d0304e349d17ba761b8ca21

SHA512
72db3baee93750c8059a2d1f59b695e6664bad68846dfb99740acd6f399b19e8cc6aa46096659e37a038eeada20f342f83bc77c74475220369407aa3f906c9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\peyvo.exe

Filesize
172KB

MD5
b305864a487b03ca234e4ae4778dbe36

SHA1
0941cb67faafbdef2e34a4121812db5aa84c1e93

SHA256
d363cd8d25c0f2a7acbf72e05c5ac823e40973e4303f9f906ba9e2b4629ee35f

SHA512
18ed81b09d3ccb02a078a39c1c06f63456084788f9d5d68d753a806338d596e125e52f3ec57a68d45c0d803662fb68a73374f68c161474dc9b878be177d8835c

Download Submit
\Users\Admin\AppData\Local\Temp\tuhaa.exe

Filesize
332KB

MD5
92beb275e2cba9c2800a666b59be796a

SHA1
82331b40ce4bb22689896a7a71eded5c3a3c0aa2

SHA256
22b003c3b0e1c0d2e5835515a2e2795982fc8af33d3e3cd6bd5d4056615ba4db

SHA512
bb6c9bd802e2367fbd831040614f90a244cb04a3daef4ab4115a76f130d9839b521bd46df60cea38783a835de76af3b0bc2d5a44dbd6f4fd9ae6ff35f07cad90

Download Submit
memory/2340-40-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2340-49-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2340-48-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2340-47-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2340-46-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2340-45-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2340-41-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2696-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2696-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2696-39-0x0000000001340000-0x00000000013C1000-memory.dmp

Filesize
516KB

Download
memory/2696-22-0x0000000001340000-0x00000000013C1000-memory.dmp

Filesize
516KB

Download
memory/3052-19-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/3052-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-7-0x0000000002C40000-0x0000000002CC1000-memory.dmp

Filesize
516KB

Download
memory/3052-0-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download