urelas | 16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
Size

332KB
MD5

c5105fd9f1ab2ad22f450fff55d33143
SHA1

e68a07e75bff28a4bf27567dfdef8bd519fb8a5a
SHA256

16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662
SHA512

de98bee6a670b9b7e787e50786c75feecd647b3cde1dea6d01105f32b3271c61c4fbc881e7609f4ba33d0e36156117e430ab6f532e030c4550eb2147095f1670
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2040	kuigh.exe
2912	qoizs.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
2040	kuigh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuigh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoizs.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe
2912	qoizs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2040	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	30
PID 1996 wrote to memory of 2040	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	30
PID 1996 wrote to memory of 2040	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	30
PID 1996 wrote to memory of 2040	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	30
PID 1996 wrote to memory of 2536	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 1996 wrote to memory of 2536	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 1996 wrote to memory of 2536	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 1996 wrote to memory of 2536	1996	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 2040 wrote to memory of 2912	2040	kuigh.exe	34
PID 2040 wrote to memory of 2912	2040	kuigh.exe	34
PID 2040 wrote to memory of 2912	2040	kuigh.exe	34
PID 2040 wrote to memory of 2912	2040	kuigh.exe	34

C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
"C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\kuigh.exe
  "C:\Users\Admin\AppData\Local\Temp\kuigh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\qoizs.exe
    "C:\Users\Admin\AppData\Local\Temp\qoizs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f82b5e46ecc7199a4d77265ab29e761f

SHA1
471dc7642de247841861ef0047e6e73fe6e0509c

SHA256
8a106558acbed72ae6114bc0d074af4570578010fffa14854c5f703466ebd300

SHA512
bec787feeb03ebb2cc4477ffa405f3f39cdb02a85c134462f4907128c7fa82532c5a83ddd39f7a26a9b9a8084fb65ed2d7ee7d63e42ec779c7c63a3a89fc13b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
79248adff997fa3b15f5028b9944b5f8

SHA1
837a0070b75b0fc21c55658874170fc3817346ea

SHA256
4d76d1b15d4caa985e9bb13ccdb79cec1660aaeee8d5640504dc2c83c91c668b

SHA512
a4a7487e146bd18b949042b5e7a38285d305659fc0f9d8f86acd2c01294e9825bf93da9449be1a1a68b060b06f18c64ff36bebb911b56dfb4b707f5ebe5c718a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuigh.exe

Filesize
332KB

MD5
6d5e317c19917a906e8bd61f6ded6092

SHA1
ede77ffe4f6a9143e4a51002c30d386886e0ca83

SHA256
d1990c36ed11d5f28dda0f690490df924f9dfc6eec84824bc8d8b7b7dcc3aeed

SHA512
71651d8eb0da30370dd104c67e408602acbdd382e2bbf548c9beacfc06057991eb3604e520d4257104fa56e083ad006d4c535e64e4e44ee1d35bb290ac7d9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoizs.exe

Filesize
172KB

MD5
7038fc112b9d9186972d54f9799d9738

SHA1
45b95c7a773dea2da37df8eda6a6392c58a2e733

SHA256
483df75e9a3b979d3dc528d043fe6a9b7319d85e3474f853c511da16a22b8266

SHA512
66d5bc93349ada1d9eefe9a0c3f5611064996c205ffdfa37398e8a06a6f57ba2c1a5268532094efbc701258380ebc1929fbfd4f3fb197701b72b94fab9f4c67a

Download Submit
memory/1996-0-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/1996-20-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/1996-17-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/1996-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2040-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2040-23-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2040-18-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2040-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2040-42-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2040-39-0x0000000002110000-0x00000000021A9000-memory.dmp

Filesize
612KB

Download
memory/2912-40-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2912-43-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2912-47-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2912-48-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2912-49-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2912-50-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2912-51-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download