urelas | 635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11

Analysis

max time kernel
150s
max time network
96s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
Size

331KB
MD5

e03c1b27b6239ebea9c12494b4f912cb
SHA1

a50459987dfa39124e5580ff86e8f25c71d512b9
SHA256

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11
SHA512

cb720e4c0c66faed2098a2464c8518ba21fa874eda9d09bd57c9d4bfbc11382cfa2d001e53b7832b0b2b63c9f88ebcf3bb6d4312767e61f002e6381bddf460ec
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOFr:vHW138/iXWlK885rKlGSekcj66ciqr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
828	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

lowal.exejowex.exe

pid	Process
2144	lowal.exe
2336	jowex.exe

Loads dropped DLL 2 IoCs

Processes:

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exelowal.exe

pid	Process
1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
2144	lowal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exelowal.execmd.exejowex.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lowal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jowex.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

jowex.exe

pid	Process
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe
2336	jowex.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exelowal.exe

description	pid	Process	procid_target
PID 1276 wrote to memory of 2144	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	29
PID 1276 wrote to memory of 2144	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	29
PID 1276 wrote to memory of 2144	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	29
PID 1276 wrote to memory of 2144	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	29
PID 1276 wrote to memory of 828	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	30
PID 1276 wrote to memory of 828	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	30
PID 1276 wrote to memory of 828	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	30
PID 1276 wrote to memory of 828	1276	635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe	30
PID 2144 wrote to memory of 2336	2144	lowal.exe	32
PID 2144 wrote to memory of 2336	2144	lowal.exe	32
PID 2144 wrote to memory of 2336	2144	lowal.exe	32
PID 2144 wrote to memory of 2336	2144	lowal.exe	32

C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
"C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\lowal.exe
  "C:\Users\Admin\AppData\Local\Temp\lowal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\jowex.exe
    "C:\Users\Admin\AppData\Local\Temp\jowex.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d98649b4f98a9524d418f6db6f8a62ee

SHA1
a17919e3b7075d8838509d2a734ba07cd25a90b8

SHA256
bbb64a9ea757f086fb04bb74b2db5a2258b3059672828ff33fc2db142e5334c2

SHA512
8f7559df132bed14b9624c48b5c01c0a0a4194343902f7c472a827f149afacdd9dc2eaf75b25cb9d34a7539672cb28f19c6fec6e2ac748270f5aa8eddc396d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
40276c3c7abf15a2e1ce7d932264a61c

SHA1
d537f9e08f3dfc2c40a11cbd5c824bf30fb5cdd9

SHA256
24a851f78f9d783b2b13782d109c806b46d8baa8abb8908d674f4cafdb204926

SHA512
e6f8522ab3bb2c0aef6783fa523bb46af30f810a073ea401b9f851fcc67a66ecaced314bf394e9ab3dbbaace359c37f595ff93bffadceba0b5fb2cea412c489c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lowal.exe

Filesize
331KB

MD5
f7e58446512c51efac60e4d410218577

SHA1
0635a9bf9ea55a455ac47c22f6b21f10504e9d83

SHA256
71f010c600ee5ea37745f410f7741532add29a9a340cd09804b7cf3d4278156d

SHA512
8bda343fb0a08aa3460e2ee1d3c826560bbd8534c7f5cbb68ff4bb52dae3fe76d12a49730d903f6cc9900fa04e93b66b80a4a26556efceb3cb898dd037faf9ec

Download Submit
\Users\Admin\AppData\Local\Temp\jowex.exe

Filesize
172KB

MD5
4de629709134fd63f19c984bf54a1736

SHA1
43e5336ffdfe88a58efdc8995122a2ae7c5b8295

SHA256
e39eb1f35ad1cdd8669a49e9e5a1148cfb0ee02d81f20c115ecf0b22116b8555

SHA512
7dc268a8ffbd1478a21bd2728cc236e6f87276c2b4705f8113b9fc4a41fde6ecf2d875ea0bbd428ef779ff72409358b28a8581e43e107ca06a34d25d459c3cb1

Download Submit
\Users\Admin\AppData\Local\Temp\lowal.exe

Filesize
331KB

MD5
4753dee1b10157f1e3bd6895669dfe47

SHA1
97822caf70c703578f2523e264d4cc51d1b0c20b

SHA256
e6be5a5ba5feb6eccd15999c3836688f5881185f9ee54b519403250ccd7a5ab2

SHA512
1de7ac594e1d8ffb09c0a4f430dabdbd3b7fa6f701a3fd9d8b5157574ed2e4d263f35a270bbde44e0e2a8c083cfc77a9a9a4beb51437b1534cdd7b1eec62ea4a

Download Submit
memory/1276-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1276-7-0x00000000010D0000-0x0000000001151000-memory.dmp

Filesize
516KB

Download
memory/1276-20-0x0000000001180000-0x0000000001201000-memory.dmp

Filesize
516KB

Download
memory/1276-0-0x0000000001180000-0x0000000001201000-memory.dmp

Filesize
516KB

Download
memory/2144-40-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2144-23-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2144-37-0x00000000036A0000-0x0000000003739000-memory.dmp

Filesize
612KB

Download
memory/2144-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2336-41-0x00000000010B0000-0x0000000001149000-memory.dmp

Filesize
612KB

Download
memory/2336-42-0x00000000010B0000-0x0000000001149000-memory.dmp

Filesize
612KB

Download
memory/2336-47-0x00000000010B0000-0x0000000001149000-memory.dmp

Filesize
612KB

Download
memory/2336-48-0x00000000010B0000-0x0000000001149000-memory.dmp

Filesize
612KB

Download
memory/2336-49-0x00000000010B0000-0x0000000001149000-memory.dmp

Filesize
612KB

Download
memory/2336-50-0x00000000010B0000-0x0000000001149000-memory.dmp

Filesize
612KB

Download
memory/2336-51-0x00000000010B0000-0x0000000001149000-memory.dmp

Filesize
612KB

Download