urelas | 9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb

Analysis

max time kernel
149s
max time network
81s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Size

331KB
MD5

7eee5a9c09ab106a678b4e266607e694
SHA1

7a4f8588d6089f4b8e25582bc11dfa9e1302df84
SHA256

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb
SHA512

4ecb3d5966d401af3b4969563e8ccf3157c63b56a48b829d70eded05e7f1aee8a13241393363f6f62a73daa868a2e864dce2ca95b85190ba19ca59de1c9e5f9f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVRJ:vHW138/iXWlK885rKlGSekcj66ciERJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2148	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

visoi.exejutov.exe

pid	Process
2720	visoi.exe
2040	jutov.exe

Loads dropped DLL 2 IoCs

Processes:

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exevisoi.exe

pid	Process
2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
2720	visoi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

jutov.exe9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exevisoi.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jutov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	visoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

jutov.exe

pid	Process
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe
2040	jutov.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exevisoi.exe

description	pid	Process	procid_target
PID 2256 wrote to memory of 2720	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2256 wrote to memory of 2720	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2256 wrote to memory of 2720	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2256 wrote to memory of 2720	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2256 wrote to memory of 2148	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2256 wrote to memory of 2148	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2256 wrote to memory of 2148	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2256 wrote to memory of 2148	2256	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2720 wrote to memory of 2040	2720	visoi.exe	33
PID 2720 wrote to memory of 2040	2720	visoi.exe	33
PID 2720 wrote to memory of 2040	2720	visoi.exe	33
PID 2720 wrote to memory of 2040	2720	visoi.exe	33

C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
"C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\visoi.exe
  "C:\Users\Admin\AppData\Local\Temp\visoi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\jutov.exe
    "C:\Users\Admin\AppData\Local\Temp\jutov.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6357433b9e289fbeedec0c4e4ea64826

SHA1
b1e70d0a33000976fee37bd86ec4b4941fe0e670

SHA256
26310e4f8e01c3574aee93d0394314e49692bb70bfc4562d80d09b66adb46428

SHA512
af021ae4d737d676154f27f5478f91afe8e29993abb71f4b82d2c04a62e4388323c5ed3bd6737f696f691828c587be114cda834375db1475e79e10a0e55b0ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
893fa03558139bbd942a2be086fee95e

SHA1
d88fc8903e6d5c45249d4a261ad8786ce83ee583

SHA256
7655059998755a36138639ebb70b78c6a5d17b0d4408fa7daf87bc3f5141335a

SHA512
bb98177ebb543e7b179adc6e35b865ba79e37e8625d568ffd8e6e4517fd5efbab4fe4082c3f258ab94b5fc49d886ee2751cf8aeecd8e0b9c2a1335558947d82e

Download Submit
\Users\Admin\AppData\Local\Temp\jutov.exe

Filesize
172KB

MD5
57b11d5a9e053383ea6f30d483f3b974

SHA1
91d3d57f68c791250ec1e9d334790d7a33965f70

SHA256
14000308762a3993f34e44486c76e6384d54a37558afb17c9f1da6b8331841c4

SHA512
d11bc0c2c7cc4fc2c87fa81cdf8cdaf013f7258d137d0a6e196f6c3a77b372beb6f247717f1636e8f0299af33adada901dfb462443d347d9dab8266febb5e121

Download Submit
\Users\Admin\AppData\Local\Temp\visoi.exe

Filesize
331KB

MD5
e95cdc7e53befb384b7ad7f1b4b53232

SHA1
e39e9ee9b0c75e28b5195bb1550b3e8d3b3a02c6

SHA256
f528c3170a1831d7f707c7444226d1a761f94f5b57bd5f4c81fdc35702210f6c

SHA512
930f7b78c4f448d8003cc5683250d254d9c626980966ab5eb01018a761c207e38386988e53bac87e0583d401d62d9721bb3a8b1fee0d44f3f09b5f90e916bdc8

Download Submit
memory/2040-52-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2040-51-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2040-48-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2040-50-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2040-49-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2040-46-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2040-43-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2256-9-0x00000000025F0000-0x0000000002671000-memory.dmp

Filesize
516KB

Download
memory/2256-21-0x0000000000E10000-0x0000000000E91000-memory.dmp

Filesize
516KB

Download
memory/2256-0-0x0000000000E10000-0x0000000000E91000-memory.dmp

Filesize
516KB

Download
memory/2256-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2720-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2720-42-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/2720-39-0x0000000003330000-0x00000000033C9000-memory.dmp

Filesize
612KB

Download
memory/2720-24-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/2720-18-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/2720-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download