urelas | 871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe
Size

403KB
MD5

5551ce6e7f9a167a8f778a1f82714473
SHA1

e8d1facc9f1e727241ebdf17fb1923062af51302
SHA256

871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc
SHA512

2af3f45139ddd63b73fc49e7c1e4366af5f409d699c44b65e1af00cb93173a87bec790ac2ff0d90b03fe6e3ec7a583a2dd675adb79bff8d1083ec325f386d05b
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohS:8IfBoDWoyFblU6hAJQnO0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2960	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

cikas.exesinoso.exerifef.exe

pid	Process
2868	cikas.exe
2584	sinoso.exe
2384	rifef.exe

Loads dropped DLL 5 IoCs

Processes:

871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.execikas.exesinoso.exe

pid	Process
2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe
2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe
2868	cikas.exe
2868	cikas.exe
2584	sinoso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.execikas.exesinoso.execmd.exerifef.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cikas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sinoso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rifef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

rifef.exe

pid	Process
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe
2384	rifef.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.execikas.exesinoso.exe

description	pid	Process	procid_target
PID 2708 wrote to memory of 2868	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	31
PID 2708 wrote to memory of 2868	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	31
PID 2708 wrote to memory of 2868	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	31
PID 2708 wrote to memory of 2868	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	31
PID 2708 wrote to memory of 2960	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	32
PID 2708 wrote to memory of 2960	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	32
PID 2708 wrote to memory of 2960	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	32
PID 2708 wrote to memory of 2960	2708	871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe	32
PID 2868 wrote to memory of 2584	2868	cikas.exe	34
PID 2868 wrote to memory of 2584	2868	cikas.exe	34
PID 2868 wrote to memory of 2584	2868	cikas.exe	34
PID 2868 wrote to memory of 2584	2868	cikas.exe	34
PID 2584 wrote to memory of 2384	2584	sinoso.exe	36
PID 2584 wrote to memory of 2384	2584	sinoso.exe	36
PID 2584 wrote to memory of 2384	2584	sinoso.exe	36
PID 2584 wrote to memory of 2384	2584	sinoso.exe	36
PID 2584 wrote to memory of 880	2584	sinoso.exe	37
PID 2584 wrote to memory of 880	2584	sinoso.exe	37
PID 2584 wrote to memory of 880	2584	sinoso.exe	37
PID 2584 wrote to memory of 880	2584	sinoso.exe	37

C:\Users\Admin\AppData\Local\Temp\871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe
"C:\Users\Admin\AppData\Local\Temp\871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\cikas.exe
  "C:\Users\Admin\AppData\Local\Temp\cikas.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\sinoso.exe
    "C:\Users\Admin\AppData\Local\Temp\sinoso.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\rifef.exe
      "C:\Users\Admin\AppData\Local\Temp\rifef.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
badd143fdd91d805450bb931ce52d26a

SHA1
9620416cf7b868d2138ca8847be34f715d4976bf

SHA256
83f091ce4dcea45716afef483e5cb26e86a86da7e81b1ecf15eaf10f3480b421

SHA512
fefee21534490f435a07c803e62a07407db2bb6fed90becdb4254a6c79bbf90b5a29b90bd475e4b7eb98b10961b3ced62002d2c852f69d023a51ee71ad7f8d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6bc058cb1f8aa89f76f97108cb7e506b

SHA1
c9acc8df6d82bd33a6f1e8f35051db72ae2001c1

SHA256
4a0e6298ce9399a3abcfc6495686538c7900a4d38b9db93ee332777fd3ef8be4

SHA512
8fdeb4ac29ef849f00a40b8470db43f65ec6939f7e76e8ab82d59015ae39e94e210c67b6c289ee44a956147c015dd5c4ef333e97063b17533c3e6524800b1794

Download Submit
C:\Users\Admin\AppData\Local\Temp\cikas.exe

Filesize
403KB

MD5
6392096ed6c2d9e5bea46353cf5d26b3

SHA1
6246a0ca7c21546f2d1854fad493faf8db3a8d37

SHA256
33da6aed05864c48f1e63c8075e82f1822bb4872bed2dafa6b6028c9c221a179

SHA512
e744fc9cc0b751a3164de3eb41a35e456cf171aca5a37ef01894599835b72b85d8893e1a1d7a98ca4f95918a75fc8a6393ff1e039472774df374b48c00079fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8a253096aa347fd267fb72bc2a3bc189

SHA1
073940fc0ca31acd4b4c952ad5e0da1c286d49a2

SHA256
6055ad0c1f8448d85a41a0f5d781172bc746cbd837844a2dd794d8a3c9ffe281

SHA512
1112a8daba842cc77df971a67d8aa40875123f05e6f458f302151d2bb7e434c5f04f3e2773d10e528612c4a5d2d5a5dc96a2d7ec58fd7df1c504e6f534ded07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sinoso.exe

Filesize
403KB

MD5
f8a6a415f737bbf09e91ec8fa6ae663e

SHA1
9a54457811190db7cbe6ca156197368abe5ab831

SHA256
28cfe0d442109d48f0f19f4bf3d99d9f6df04cb7eff6d8e2386d09a5353d397b

SHA512
f2de7a8a291c8c07fb0aab8467ca2b468b3f27a2f9d0b4d4558ec61e05745e46539f2f2e80d65becd46b7ed8e1ba7da485313b7a55ac04c35037ea9b0f35ecdd

Download Submit
\Users\Admin\AppData\Local\Temp\rifef.exe

Filesize
223KB

MD5
1534b310452c227113bd11a777bd7253

SHA1
db69c48b536d45c18d1c715a73e3b1ae27368d5c

SHA256
50b60ae6eebe1aaa4208afc7617bd2df06509d7631f4a9cf2e252d7db414eb8e

SHA512
688adeae74d28aad8be53d0ee285ea183457e5f938e970ba8b62e91d4ac3665fd366b1e76c9118c866e33be25986b10c229ea222cae494718b3dc519747104c4

Download Submit
memory/2384-60-0x0000000000AF0000-0x0000000000B90000-memory.dmp

Filesize
640KB

Download
memory/2384-61-0x0000000000AF0000-0x0000000000B90000-memory.dmp

Filesize
640KB

Download
memory/2384-59-0x0000000000AF0000-0x0000000000B90000-memory.dmp

Filesize
640KB

Download
memory/2384-55-0x0000000000AF0000-0x0000000000B90000-memory.dmp

Filesize
640KB

Download
memory/2384-62-0x0000000000AF0000-0x0000000000B90000-memory.dmp

Filesize
640KB

Download
memory/2384-63-0x0000000000AF0000-0x0000000000B90000-memory.dmp

Filesize
640KB

Download
memory/2584-52-0x0000000003BD0000-0x0000000003C70000-memory.dmp

Filesize
640KB

Download
memory/2584-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2584-38-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2584-53-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2708-20-0x0000000002450000-0x00000000024B8000-memory.dmp

Filesize
416KB

Download
memory/2708-37-0x0000000002450000-0x00000000024B8000-memory.dmp

Filesize
416KB

Download
memory/2708-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2708-22-0x0000000002450000-0x00000000024B8000-memory.dmp

Filesize
416KB

Download
memory/2708-21-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2868-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2868-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download