urelas | 2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Size

327KB
MD5

8683596a79ee62e258067bbadaa4e0b0
SHA1

2804b7a54623958f9feae3720d47cf43d190301c
SHA256

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7
SHA512

776cf6027bfa30d32fb61e54cbed0e9a34a9e20e6645f83cf2e434952a7b9c641410b81ddd816570c41449ce30e90b33b21041d34ba43419526b9ff664fbc97d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2236	tyoww.exe
596	rubeu.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
2236	tyoww.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyoww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rubeu.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe
596	rubeu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2236	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2160 wrote to memory of 2236	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2160 wrote to memory of 2236	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2160 wrote to memory of 2236	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2160 wrote to memory of 2880	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2160 wrote to memory of 2880	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2160 wrote to memory of 2880	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2160 wrote to memory of 2880	2160	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2236 wrote to memory of 596	2236	tyoww.exe	34
PID 2236 wrote to memory of 596	2236	tyoww.exe	34
PID 2236 wrote to memory of 596	2236	tyoww.exe	34
PID 2236 wrote to memory of 596	2236	tyoww.exe	34

C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
"C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\tyoww.exe
  "C:\Users\Admin\AppData\Local\Temp\tyoww.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\rubeu.exe
    "C:\Users\Admin\AppData\Local\Temp\rubeu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8f89209875b68dc7aeabfe4e5d52c438

SHA1
2c9fc8e53f1dbda9a7d4a30f563eec47b2dba870

SHA256
1fbe0b77c72646d6661853e1ed49513eac6cd002259fbc2ccb8a3550f6e79725

SHA512
264828e36193cb454896c4243afd62f27fbd5838903f349ea31998c8de52ec6062f4ae7531d8385613dd01d1f6587d077ac36fa0a9b1a01eb8b7b531346af803

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
51c3e5acb77f7be8b80f08e43309919f

SHA1
ff3c195162cb0a3e51313c5d9a2f471515540db2

SHA256
25dcf2769a086f925dbb3d83145089016f594253d7768af8ec086c4948fba125

SHA512
8168885f6d3557388faaa9e16082011f803b4a4e2e6197eeae2e301928f355be386b4eb4bb5987ccd654da4f676e4e8defa9a65b0b803ea84084b50bb8201441

Download Submit
C:\Users\Admin\AppData\Local\Temp\rubeu.exe

Filesize
172KB

MD5
4741aa3ca128255054364aa1dcf0a719

SHA1
2fa880c95aec2e8310949db3e24b8e86db5382ca

SHA256
eaf54c817ea873d8fcbe453bd13ca2570cc362d65e7718940bcccef01ec786bd

SHA512
c3be4e2c2d84e070a282bb9a29e12f59a173e4cc2f72e23a76570c26cc9fd3b902a30c5013851a4bb5daa5389609b85ababd0c00a96f9c0670d5745a8e7c97cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyoww.exe

Filesize
327KB

MD5
3322d95ea415a179780a054c4cec7c60

SHA1
5c62c60df1c4559296d31d84e8a337825d8bb26f

SHA256
c50619cc166bedb0fd9aa6b66615da9717fde03b06f8d63382637d5470fae085

SHA512
67d9305befdcb7aefd7a9c89b957c91f5571fab59f4720e7b79718f3ce70bdc56e4dc50a856280a05581bdd872ea29edba57f26dd0e7fb7965c1281190bf779c

Download Submit
\Users\Admin\AppData\Local\Temp\tyoww.exe

Filesize
327KB

MD5
a056acc74231882ccd600610196a8027

SHA1
d01f40c01b4e068b50d88bb1cb8422a67be6e3be

SHA256
c9f97d9390c3b1cfff6be2353766a0289e1734940e54c43206ae9043d125fd55

SHA512
d864c493177d988900f1ca74d82fc0ce8b2e814ef04ec646d10de4beed6af14d8daf8cce3ff6903a0a2b8a4a68abd6e7362cd1813069b2bc3031a186431decb5

Download Submit
memory/596-42-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/596-43-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/596-52-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/596-51-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/596-50-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/596-49-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/596-48-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/2160-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2160-7-0x0000000000C00000-0x0000000000C81000-memory.dmp

Filesize
516KB

Download
memory/2160-21-0x0000000001020000-0x00000000010A1000-memory.dmp

Filesize
516KB

Download
memory/2160-0-0x0000000001020000-0x00000000010A1000-memory.dmp

Filesize
516KB

Download
memory/2236-24-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/2236-41-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/2236-38-0x0000000003600000-0x0000000003699000-memory.dmp

Filesize
612KB

Download
memory/2236-11-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/2236-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download