urelas | 635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
Size

331KB
MD5

e03c1b27b6239ebea9c12494b4f912cb
SHA1

a50459987dfa39124e5580ff86e8f25c71d512b9
SHA256

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11
SHA512

cb720e4c0c66faed2098a2464c8518ba21fa874eda9d09bd57c9d4bfbc11382cfa2d001e53b7832b0b2b63c9f88ebcf3bb6d4312767e61f002e6381bddf460ec
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOFr:vHW138/iXWlK885rKlGSekcj66ciqr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1424	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

axquk.exereqig.exe

pid	Process
2324	axquk.exe
584	reqig.exe

Loads dropped DLL 2 IoCs

Processes:

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exeaxquk.exe

pid	Process
1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
2324	axquk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

axquk.execmd.exereqig.exe635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axquk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reqig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

reqig.exe

pid	Process
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe
584	reqig.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exeaxquk.exe

description	pid	Process	procid_target
PID 1668 wrote to memory of 2324	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	31
PID 1668 wrote to memory of 2324	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	31
PID 1668 wrote to memory of 2324	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	31
PID 1668 wrote to memory of 2324	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	31
PID 1668 wrote to memory of 1424	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	32
PID 1668 wrote to memory of 1424	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	32
PID 1668 wrote to memory of 1424	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	32
PID 1668 wrote to memory of 1424	1668	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	32
PID 2324 wrote to memory of 584	2324	axquk.exe	34
PID 2324 wrote to memory of 584	2324	axquk.exe	34
PID 2324 wrote to memory of 584	2324	axquk.exe	34
PID 2324 wrote to memory of 584	2324	axquk.exe	34

C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
"C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\axquk.exe
  "C:\Users\Admin\AppData\Local\Temp\axquk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\reqig.exe
    "C:\Users\Admin\AppData\Local\Temp\reqig.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d98649b4f98a9524d418f6db6f8a62ee

SHA1
a17919e3b7075d8838509d2a734ba07cd25a90b8

SHA256
bbb64a9ea757f086fb04bb74b2db5a2258b3059672828ff33fc2db142e5334c2

SHA512
8f7559df132bed14b9624c48b5c01c0a0a4194343902f7c472a827f149afacdd9dc2eaf75b25cb9d34a7539672cb28f19c6fec6e2ac748270f5aa8eddc396d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0ec27adc3c85605a3796e748eaa92644

SHA1
5c6e0d97e5c2941c442a8605faa331e0a7228ffb

SHA256
0f369977d3b9d5494e16d7f0696dee92042b031179225eef47cebb9cab12bc57

SHA512
7f7c8efde5646a9314ff68a3463b70cde1fd60b3471a4e49f8e241df40fb5f2900f8a0f346be825dc0da7e5f2fcef5553bc2642e877f5eaf6938259acb945a5e

Download Submit
\Users\Admin\AppData\Local\Temp\axquk.exe

Filesize
331KB

MD5
1061798569587a7e75ceefb6a92be71b

SHA1
1515c51b950ca96f644c312ba78168365d4d4d0f

SHA256
694e37e90a974a10923380036f663ce8c255feb9fbb7e3712e29d17ac793237f

SHA512
d9ad676f962ab33d89aac029e9b0e22651789fc16d8f71585eb619776bed857196e56638384970503436a290f58ec60297ef9b23bdb54daca58bde6dbfa207b9

Download Submit
\Users\Admin\AppData\Local\Temp\reqig.exe

Filesize
172KB

MD5
0210f6cbfd0205d1e5844a52d8c4dd0e

SHA1
b05f35204cff59efd7ed326f774054d65d0b79ec

SHA256
fb430de8fa7b0014c75c3970ea57853ede82dcb67834866e6785f3dbaf777955

SHA512
d887e52d599afdd4712edd8774c32d4e1b9402106705649e45622fa3f3c54db88834c14f8ac71990bb593876b0a6ab223e1423ea8dea1d6ced46d664336f0e9a

Download Submit
memory/584-47-0x00000000009B0000-0x0000000000A49000-memory.dmp

Filesize
612KB

Download
memory/584-43-0x00000000009B0000-0x0000000000A49000-memory.dmp

Filesize
612KB

Download
memory/584-51-0x00000000009B0000-0x0000000000A49000-memory.dmp

Filesize
612KB

Download
memory/584-50-0x00000000009B0000-0x0000000000A49000-memory.dmp

Filesize
612KB

Download
memory/584-49-0x00000000009B0000-0x0000000000A49000-memory.dmp

Filesize
612KB

Download
memory/584-48-0x00000000009B0000-0x0000000000A49000-memory.dmp

Filesize
612KB

Download
memory/584-42-0x00000000009B0000-0x0000000000A49000-memory.dmp

Filesize
612KB

Download
memory/1668-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1668-0-0x0000000000FF0000-0x0000000001071000-memory.dmp

Filesize
516KB

Download
memory/1668-7-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/1668-21-0x0000000000FF0000-0x0000000001071000-memory.dmp

Filesize
516KB

Download
memory/2324-41-0x0000000003450000-0x00000000034E9000-memory.dmp

Filesize
612KB

Download
memory/2324-40-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/2324-11-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/2324-24-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/2324-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download