urelas | 4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30b

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe
Size

333KB
MD5

069769a12fb926841c133bd19fa34b30
SHA1

9904e2fc59e715aecc1540f459b248a74969334f
SHA256

4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30b
SHA512

ffabbb37b6a2d2264fa81ba5da6f489372db858cbeadc6185a1644a854ee6d0d9c37b5f93aa15b5f8480d632c04f36ed3ac7deb95854479985d2fe1d48476920
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2664	fuufz.exe
2896	votow.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe
2664	fuufz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	votow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuufz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe
2896	votow.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2664	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	30
PID 2736 wrote to memory of 2664	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	30
PID 2736 wrote to memory of 2664	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	30
PID 2736 wrote to memory of 2664	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	30
PID 2736 wrote to memory of 2804	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	31
PID 2736 wrote to memory of 2804	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	31
PID 2736 wrote to memory of 2804	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	31
PID 2736 wrote to memory of 2804	2736	4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe	31
PID 2664 wrote to memory of 2896	2664	fuufz.exe	34
PID 2664 wrote to memory of 2896	2664	fuufz.exe	34
PID 2664 wrote to memory of 2896	2664	fuufz.exe	34
PID 2664 wrote to memory of 2896	2664	fuufz.exe	34

C:\Users\Admin\AppData\Local\Temp\4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe
"C:\Users\Admin\AppData\Local\Temp\4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\fuufz.exe
  "C:\Users\Admin\AppData\Local\Temp\fuufz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\votow.exe
    "C:\Users\Admin\AppData\Local\Temp\votow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8f3321bf544322e77845fbb684c302ad

SHA1
280ad5cd953f1350d05b38de6ad8b8231cf461b8

SHA256
b9baeafa70d1f4e93eba4817536b9acbf60d8023638d9e94cb39a64baf6d4329

SHA512
36be1640cba4892da8b4c5bfe85a24a27e8f68c239db80b645cfd8206ec36792fb1eeed8c8d20f68a15e8eb6ec91c459ba3d20ab31969b076dc5eda9d2fbb3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3692b366263efebd2d3f11f5fd1a3b40

SHA1
398e33b43f71e2333e8a2f49abd093401ee939b5

SHA256
c443f72489c7014a974534c47b4951ce2bd7bc891efb935049434d4b40b2da04

SHA512
4b776b8798f37906025755da7970225fd3ad29281846aa78606aabaac9b59373ff6f92ef2f88ed023f2b8fd40a3c18b228b1fd0ea89ee4e2bbc7dc6614f2963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\votow.exe

Filesize
172KB

MD5
5656a17c5588c4149931909246c627d1

SHA1
b8588aa7d247c8e52c346f89acf01fca35e468fb

SHA256
bcaf82b90fd507a55e72257a77266686c1961e505bc33c05531f57757b816f4e

SHA512
7eabeb1e18b1cd7d2989cc9426c506be3e9752db969fbfd31dc2f808b2f37a8cdb84e542cf24d7aed82fc30e5f67e8153e63e2a07b65824456636c12d2e7faf5

Download Submit
\Users\Admin\AppData\Local\Temp\fuufz.exe

Filesize
333KB

MD5
b6b6ea22e15960a918a78408af365f12

SHA1
6db73026e76218b599131c135e0438c8a52721bc

SHA256
2dec17c7dca62daa27915fb6ba31d2a5a7957dbf272bf5cc3fa52cc6c533bd20

SHA512
7b9e1d8ee5cba8c353217ff17222a68c5f9778120b609b678f9fa4666c7b02bc8e80408ae743565a729d6594f3a65312bde06a4f3181a17bd982901477378358

Download Submit
memory/2664-38-0x0000000003C30000-0x0000000003CC9000-memory.dmp

Filesize
612KB

Download
memory/2664-24-0x00000000011E0000-0x0000000001261000-memory.dmp

Filesize
516KB

Download
memory/2664-11-0x00000000011E0000-0x0000000001261000-memory.dmp

Filesize
516KB

Download
memory/2664-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2664-41-0x00000000011E0000-0x0000000001261000-memory.dmp

Filesize
516KB

Download
memory/2736-0-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/2736-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2736-21-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/2736-9-0x00000000024D0000-0x0000000002551000-memory.dmp

Filesize
516KB

Download
memory/2896-42-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/2896-45-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/2896-47-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/2896-48-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/2896-49-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/2896-50-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/2896-51-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download