urelas | 133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
Size

337KB
MD5

39d8703f1b708b28f39401d39084363c
SHA1

d3ff0688c161c0829a07d65f17e618b805bc1cc0
SHA256

133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691
SHA512

45871b125f10e63a6f38c3612e757ae3a2fa0648bf1d0f49ef663882fbcbbf68aeb3805570a1fd834e805e681b6eea9611fa05574b9ce201946d77fbf06cfcd2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYpI:vHW138/iXWlK885rKlGSekcj66ciEI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2980	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ytwec.exepyxuf.exe

pid	Process
2736	ytwec.exe
1784	pyxuf.exe

Loads dropped DLL 2 IoCs

Processes:

133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exeytwec.exe

pid	Process
1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
2736	ytwec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exeytwec.execmd.exepyxuf.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytwec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyxuf.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

pyxuf.exe

pid	Process
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe
1784	pyxuf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exeytwec.exe

description	pid	Process	procid_target
PID 1064 wrote to memory of 2736	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	30
PID 1064 wrote to memory of 2736	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	30
PID 1064 wrote to memory of 2736	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	30
PID 1064 wrote to memory of 2736	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	30
PID 1064 wrote to memory of 2980	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	31
PID 1064 wrote to memory of 2980	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	31
PID 1064 wrote to memory of 2980	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	31
PID 1064 wrote to memory of 2980	1064	133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe	31
PID 2736 wrote to memory of 1784	2736	ytwec.exe	34
PID 2736 wrote to memory of 1784	2736	ytwec.exe	34
PID 2736 wrote to memory of 1784	2736	ytwec.exe	34
PID 2736 wrote to memory of 1784	2736	ytwec.exe	34

C:\Users\Admin\AppData\Local\Temp\133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe
"C:\Users\Admin\AppData\Local\Temp\133edd12d821bd362f2ad0693982abc59fba04af35ba0eec538d6cd798a6f691.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\ytwec.exe
  "C:\Users\Admin\AppData\Local\Temp\ytwec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\pyxuf.exe
    "C:\Users\Admin\AppData\Local\Temp\pyxuf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fa03093f919777d4b59a7d49d7440b2a

SHA1
1b4dcf5d738d48f599d613e34955a7b27b2996da

SHA256
d78493474650eae90d361a0fbdb8c87ee8d017b2ccd8150097251a929dbae2ea

SHA512
63320e32c15909edd0dc7100426b1e58175febf45ab280b1ad28ae5abdefc8d2746226573592f4878a170476273664fefcb21b8b2be4623ee8167f7f04189a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
de1503721240a86d279ad99f6c6a5c00

SHA1
64b01ec15a58050dc5a7f0e5cc6c0487e7283a11

SHA256
4024661823fcec274145c8b5ca48f0048696624e18ba19cdd09a55d201fafefb

SHA512
50fe120433fa4ec640f4609f5511842ea1cb16c893bf043256cd1ff43cdcbb21b8ad291b77bac83339cf96578ea391c3d96fcf3ecdcf3a0eaebd4d7be0933ca8

Download Submit
\Users\Admin\AppData\Local\Temp\pyxuf.exe

Filesize
172KB

MD5
e6af2374cf2038537d2e2c47513e2436

SHA1
74763632ebcff88746f851264794de82d9076235

SHA256
ff4479160dac11da0dba98836d853ee66f2c0de41931be244373001d741b4c85

SHA512
2598a955f49c4b5b984b98d4a5c0f8216dc40cf2b8529d1971c5cbd24b744a38d1e06fabd383a6c35c3b5670f381970ee146eb41aa61df025b2231f046d0e8d4

Download Submit
\Users\Admin\AppData\Local\Temp\ytwec.exe

Filesize
337KB

MD5
44b7774f5dd49be7afde5a5a415321aa

SHA1
7a30263c295e98c8ffcfcbe8826f11017016fb35

SHA256
00a859dc5d00e3fb4871baa18573f48d53a9de70ef6aac1bb78bd601a36dca1e

SHA512
f9c29992d7e8a0a2cfb0e442ab2dcc2dbe2584cf943d0e43773f13151b3d24eb383242ac5caed08101cf58bb94dfa4de34850192e31e26012ee09c5f30639fe8

Download Submit
memory/1064-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1064-0-0x00000000003B0000-0x0000000000431000-memory.dmp

Filesize
516KB

Download
memory/1064-9-0x00000000025D0000-0x0000000002651000-memory.dmp

Filesize
516KB

Download
memory/1064-20-0x00000000003B0000-0x0000000000431000-memory.dmp

Filesize
516KB

Download
memory/1784-43-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/1784-40-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/1784-45-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/1784-46-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/1784-47-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/1784-48-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/1784-49-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/2736-23-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2736-38-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2736-17-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2736-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download