urelas | 0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
Size

403KB
MD5

d1c773e84eeb50f6b2964cc7d94b6fdf
SHA1

e78828b1a72b9025538dd7ee15efdff12939576e
SHA256

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3
SHA512

c3c9c4aa3a7a3bb896f4939531a9f810fea888db2534ec8fb99ba4522ac283806494f92c2b2feacaa711b8e1dd1b0c5e8da2f59dfdd4d7e6cc92cbf38712e4a4
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnOA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2792	ejpow.exe
2864	kuegru.exe
2496	buxok.exe

Loads dropped DLL 5 IoCs

pid	Process
2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
2792	ejpow.exe
2792	ejpow.exe
2864	kuegru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buxok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejpow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuegru.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe
2496	buxok.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2792	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2888 wrote to memory of 2792	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2888 wrote to memory of 2792	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2888 wrote to memory of 2792	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2888 wrote to memory of 3036	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2888 wrote to memory of 3036	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2888 wrote to memory of 3036	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2888 wrote to memory of 3036	2888	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2792 wrote to memory of 2864	2792	ejpow.exe	33
PID 2792 wrote to memory of 2864	2792	ejpow.exe	33
PID 2792 wrote to memory of 2864	2792	ejpow.exe	33
PID 2792 wrote to memory of 2864	2792	ejpow.exe	33
PID 2864 wrote to memory of 2496	2864	kuegru.exe	35
PID 2864 wrote to memory of 2496	2864	kuegru.exe	35
PID 2864 wrote to memory of 2496	2864	kuegru.exe	35
PID 2864 wrote to memory of 2496	2864	kuegru.exe	35
PID 2864 wrote to memory of 716	2864	kuegru.exe	36
PID 2864 wrote to memory of 716	2864	kuegru.exe	36
PID 2864 wrote to memory of 716	2864	kuegru.exe	36
PID 2864 wrote to memory of 716	2864	kuegru.exe	36

C:\Users\Admin\AppData\Local\Temp\0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
"C:\Users\Admin\AppData\Local\Temp\0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\ejpow.exe
  "C:\Users\Admin\AppData\Local\Temp\ejpow.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\kuegru.exe
    "C:\Users\Admin\AppData\Local\Temp\kuegru.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\buxok.exe
      "C:\Users\Admin\AppData\Local\Temp\buxok.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
5e07627bd48d6e730d4dbda681df74bb

SHA1
4d1a4b684280a71623adc893bd02ed41e9f9d445

SHA256
f0e523e29b75bc91b757caefbb3d38deea6856e9f6633d43d8bd98ade1ac2607

SHA512
9fe75795bd34d09828d5c7ba54c980a7d21b815c4a286aff2979726ff4c46c5a5edde24d305a2876cab833c4b20e1a6d23ceaa9544473395f50e86e463684e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
eaa6422bdaf051c401b1395cc8c27142

SHA1
015910ba6a08e5a7c4e80219e31a72ab16c7b7e8

SHA256
fb118ba03582faac2c7de072bbec530a50933223b54954afd7f11bb98990162a

SHA512
44797ddb7b568859ac9036fa86df86f9e5eb49d5edc9d62a9401609795f8bef5af744555d75803d68bb1f2d220b034ff58f02c11a457f6cc134436d01a0840fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
76d55dc7723502bebaea0ead2c4e74f2

SHA1
798d41ddcb92d1cc779b8f40debb14d4de6bf161

SHA256
96a8933e24706bb2c319a9d6e4f306ed588f47cd3c0a151b99a8ebb1b6a2d8f7

SHA512
3616b2b74f95406d3f2809710399ca2d1ac17a41061428aa6f198cb8783d5a16cc91d5d65cdd1052d33f00a81271af168d0b24621f8d763b31e0094a541fd91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuegru.exe

Filesize
403KB

MD5
5ede7ecf000e7a3c10f5c992c860b3ba

SHA1
57cb77692fb36ce73de73331692d472378cee40c

SHA256
47212f6ea393cde69669a98366e69df356802f3a45b03dba47a223432a75f337

SHA512
0bdb8ebfe0efda0e35c205677e279af5b22ac682649739c812564c87982cf056bda5ad04a15683425747094a977d645bb2b3601b408e521d8d21dd1f8388aa6e

Download Submit
\Users\Admin\AppData\Local\Temp\buxok.exe

Filesize
223KB

MD5
1d4b9616223275a55ce7cdfdbeeb3369

SHA1
adc8400dfa77966c7500eb6ff344b9cd9d33a365

SHA256
3f20f056fcdcd6a91d84e86faf54d88ccfc5c5cd8c52da4e1425c11235afb823

SHA512
82bd51af13c9145132dff50778f373d387696a519e732852a8e510da9ba254d139018ab30e3e7ae889f64253c9e743d3a94bf9142ac7b785d22dfa803884d49d

Download Submit
\Users\Admin\AppData\Local\Temp\ejpow.exe

Filesize
403KB

MD5
f03eff9e8467c7c530cd582bd78c48fb

SHA1
c3aa29655c6d90e470ec01a82f0d79b25e7cc44c

SHA256
eb9940eb017c6ed605d08478d0cd398095c74c5cbcffb1afa8574d7faeacaec4

SHA512
1934dfa59fe6ba4ce5034b1717109a18d0717bfb032417cefc8a2ac8a1b6e97fa19e8b557682d045ddd8a630e18a13b50105dbc78d6f34b2310d56b7e4f7e25f

Download Submit
memory/2496-61-0x0000000000E30000-0x0000000000ED0000-memory.dmp

Filesize
640KB

Download
memory/2496-62-0x0000000000E30000-0x0000000000ED0000-memory.dmp

Filesize
640KB

Download
memory/2496-63-0x0000000000E30000-0x0000000000ED0000-memory.dmp

Filesize
640KB

Download
memory/2496-60-0x0000000000E30000-0x0000000000ED0000-memory.dmp

Filesize
640KB

Download
memory/2496-64-0x0000000000E30000-0x0000000000ED0000-memory.dmp

Filesize
640KB

Download
memory/2496-48-0x0000000000E30000-0x0000000000ED0000-memory.dmp

Filesize
640KB

Download
memory/2792-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2792-34-0x0000000001EE0000-0x0000000001F48000-memory.dmp

Filesize
416KB

Download
memory/2792-33-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2792-38-0x0000000001EE0000-0x0000000001F48000-memory.dmp

Filesize
416KB

Download
memory/2864-46-0x0000000003730000-0x00000000037D0000-memory.dmp

Filesize
640KB

Download
memory/2864-56-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2864-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2864-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2888-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2888-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2888-12-0x0000000002840000-0x00000000028A8000-memory.dmp

Filesize
416KB

Download
memory/2888-6-0x0000000002840000-0x00000000028A8000-memory.dmp

Filesize
416KB

Download