urelas | 3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Size

537KB
MD5

d8d3f06c0e9aea69858a74a5fec62a7a
SHA1

7a041b1f9fcd3d3fdd32b16c13d3780022c76be6
SHA256

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731
SHA512

58a0794cb708db9dcd08326efdbf09175f906b03229f0bdd3411059d0d0fd057a2a2a0a4e500375fa0a8d21302fcf96726be4565b92af9e5d240a64f6d1ec3e7
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2712	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

poejo.exeronoi.exe

pid	Process
2088	poejo.exe
2424	ronoi.exe

Loads dropped DLL 2 IoCs

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exepoejo.exe

pid	Process
1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
2088	poejo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exepoejo.execmd.exeronoi.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poejo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronoi.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

ronoi.exe

pid	Process
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe
2424	ronoi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exepoejo.exe

description	pid	Process	procid_target
PID 1128 wrote to memory of 2088	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 1128 wrote to memory of 2088	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 1128 wrote to memory of 2088	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 1128 wrote to memory of 2088	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 1128 wrote to memory of 2712	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	32
PID 1128 wrote to memory of 2712	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	32
PID 1128 wrote to memory of 2712	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	32
PID 1128 wrote to memory of 2712	1128	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	32
PID 2088 wrote to memory of 2424	2088	poejo.exe	35
PID 2088 wrote to memory of 2424	2088	poejo.exe	35
PID 2088 wrote to memory of 2424	2088	poejo.exe	35
PID 2088 wrote to memory of 2424	2088	poejo.exe	35

C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
"C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\poejo.exe
  "C:\Users\Admin\AppData\Local\Temp\poejo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\ronoi.exe
    "C:\Users\Admin\AppData\Local\Temp\ronoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3647d5e7ac42a51cbda230969692b578

SHA1
69008a4017886dc9dc03e35e270c0b0a6f0d16c3

SHA256
65d2e40876acecbf4845a8918792e6b3c3ec4902bbac03e4a8b491d5e019eb9e

SHA512
4067b6a4667bf14d2f2f097a334d8c8ce25643df177d835c5b9fea64c020a225319a4402e51e5a6607665eddcbe45538bc8f558b3683d3c7675beb8b6059794f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
876863e9fa6bccf98ca2a02ee743a4c2

SHA1
c88b72b16c3302029165a63b97b87dc1ba80f37e

SHA256
5d15d840586c2bbc5770176dffe5ab6b60269330c3da115b26b5a3727c3abfbc

SHA512
07d045a21a73f9e0bf98090227ea078f97942dcc6a8a68b962fd359d8ef0bd00a2e280098bde8e595457b2ee972bbf8d3dc3965947b078ac2b36db56ff10d01a

Download Submit
\Users\Admin\AppData\Local\Temp\poejo.exe

Filesize
537KB

MD5
080284e2eef902052f19ead604086871

SHA1
8f09e8d368a9faf0451881b895eddb2a7d747fe4

SHA256
059f0c9ed3c6bc4318707a64de16a54e658501e08ebfe3d63008141e7f2ea8d0

SHA512
c2676ec0389b41a568ab875e3339566ff592f0e4825440800207cc2cf61ecca5754f282c82a1b029417fc3f16b0b32e05df4700cd837c491fe719d09996b01b1

Download Submit
\Users\Admin\AppData\Local\Temp\ronoi.exe

Filesize
236KB

MD5
b440eb472f6ceea9364babb46f71b7d0

SHA1
c2da42e11fed2c138cc463776dee69cbdb989f58

SHA256
86307e9bf7ba34051cbf0d39f23df46952850feecdfc210272178a423e73a348

SHA512
1f621b6e63fe3cded890ba96bcf2ce9e7f2382808c2a580b474b1775c5eaf5eca2d8d575073ae680602e83d1d51269773031a54463405b9f0d0f6b424848cdb0

Download Submit
memory/1128-8-0x0000000002720000-0x00000000027AC000-memory.dmp

Filesize
560KB

Download
memory/1128-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1128-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2088-25-0x0000000002290000-0x0000000002333000-memory.dmp

Filesize
652KB

Download
memory/2088-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2088-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2424-29-0x0000000000B20000-0x0000000000BC3000-memory.dmp

Filesize
652KB

Download
memory/2424-31-0x0000000000B20000-0x0000000000BC3000-memory.dmp

Filesize
652KB

Download
memory/2424-32-0x0000000000B20000-0x0000000000BC3000-memory.dmp

Filesize
652KB

Download
memory/2424-33-0x0000000000B20000-0x0000000000BC3000-memory.dmp

Filesize
652KB

Download
memory/2424-34-0x0000000000B20000-0x0000000000BC3000-memory.dmp

Filesize
652KB

Download
memory/2424-35-0x0000000000B20000-0x0000000000BC3000-memory.dmp

Filesize
652KB

Download