urelas | c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Size

597KB
MD5

8fd85ee4b09ceab66733ac13dbf09e1d
SHA1

0bf74e1ba4927b718ae922b89f149fb75236efd0
SHA256

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c
SHA512

3ba8695775b981fe2ad4a8ee025dea547d58789213849b2b681448452b2921fe43876dfa7a2aece26aaee3aed10366761c159c1b829ffb5022c997d0fe4dc3bc
SSDEEP

6144:KzU7blKaPcbhj+bB7ktZeRnVDJm0oNjOPdInpB8:MU7MLb4BQkntwNjqdx

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2280	guaxm.exe
1808	obrip.exe

Loads dropped DLL 3 IoCs

pid	Process
1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
2280	guaxm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guaxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obrip.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe
1808	obrip.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2280	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	28
PID 1868 wrote to memory of 2280	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	28
PID 1868 wrote to memory of 2280	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	28
PID 1868 wrote to memory of 2280	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	28
PID 1868 wrote to memory of 2212	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	29
PID 1868 wrote to memory of 2212	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	29
PID 1868 wrote to memory of 2212	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	29
PID 1868 wrote to memory of 2212	1868	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	29
PID 2280 wrote to memory of 1808	2280	guaxm.exe	33
PID 2280 wrote to memory of 1808	2280	guaxm.exe	33
PID 2280 wrote to memory of 1808	2280	guaxm.exe	33
PID 2280 wrote to memory of 1808	2280	guaxm.exe	33

C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
"C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\guaxm.exe
  "C:\Users\Admin\AppData\Local\Temp\guaxm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\obrip.exe
    "C:\Users\Admin\AppData\Local\Temp\obrip.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b45e2f663f7f9bc2d10eb8e125539218

SHA1
01e788019befaf86df514a2b888ee8041406c745

SHA256
e29e4674cb422acbffadff5f79d7f611cd78322d03913757cea07401bcfd2405

SHA512
25d818b7fbe97c858a6aa61424e553fc5056cc9f1c22759e107a40d3d6d6b5a099e488dad6e15c5cbe11ef0750e6d3c80aaa47b99bed89e79da451a4729b96e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
44332b51cffce3283d57c7212b79e352

SHA1
9447ff77f3cb30c21176ff3545c0d54a76ff7ccb

SHA256
157ec04964d4eed2ef37029d1861e67a184a24b82914a73e26e1990b8e0727f0

SHA512
750e2ee5475a27ddfc3e2773cc8bf29fc27ef940cf1d2cc8622f5da38283a01260aace9d6f7e32bd65b8208982d021f2ec7e23a6b6b164ee297466ec8a415028

Download Submit
\Users\Admin\AppData\Local\Temp\guaxm.exe

Filesize
597KB

MD5
15961851e20970359322574b5958c397

SHA1
93052472fbb72e288a962c43f88248578e02ad75

SHA256
114b8654d78bd0254d4e51d4d54fb8a3aa38e5c730175cfbc3d9abb63a19a0b0

SHA512
6711dd4e18206bf97b0de257dec9bf807976bcdc897d23e3de6800f043e4d23e2ff42fb3791e782cc2760858720cc4ee938b9cf0db84d7908b4e3e9c3daa88be

Download Submit
\Users\Admin\AppData\Local\Temp\obrip.exe

Filesize
211KB

MD5
f8c3ccecebf08884e39b25cd77aae1da

SHA1
32d3af87d22144cf448108b0a20b83c531bad9f9

SHA256
9945b11215d9cf1d56bd6918a60d7084391ab33fbad7d460626e43986bdad267

SHA512
ddf70ea6c46b06de69404a9c0f1ad86b1511d18ef906423d3998cfd0185893bef835cf03a645f20d449b55fd899933ad0d6069fec11d1d5919644154acd4268d

Download Submit
memory/1808-34-0x0000000001240000-0x00000000012F1000-memory.dmp

Filesize
708KB

Download
memory/1808-42-0x0000000001240000-0x00000000012F1000-memory.dmp

Filesize
708KB

Download
memory/1808-41-0x0000000001240000-0x00000000012F1000-memory.dmp

Filesize
708KB

Download
memory/1808-40-0x0000000001240000-0x00000000012F1000-memory.dmp

Filesize
708KB

Download
memory/1808-39-0x0000000001240000-0x00000000012F1000-memory.dmp

Filesize
708KB

Download
memory/1808-37-0x0000000001240000-0x00000000012F1000-memory.dmp

Filesize
708KB

Download
memory/1808-38-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1808-35-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1868-11-0x0000000002640000-0x00000000026D5000-memory.dmp

Filesize
596KB

Download
memory/1868-22-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1868-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1868-12-0x0000000002640000-0x00000000026D5000-memory.dmp

Filesize
596KB

Download
memory/2280-33-0x0000000003230000-0x00000000032E1000-memory.dmp

Filesize
708KB

Download
memory/2280-31-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2280-25-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2280-15-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download