urelas | e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
Size

533KB
MD5

d0b820b8854a6713fa4ca98a72441157
SHA1

afd9ecb1355f66c507294bc3f7667e61dc902f69
SHA256

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113
SHA512

6712db2173af63d253b06af6ab58c193683ed970eb4c4ecb3cad4c9d8d69eb6591bc6c77ed8295957e5a7e15d4fa8f6a5e49c4779eb52b50038142be5e1f2d26
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2944	wymuy.exe
324	rasir.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
2944	wymuy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wymuy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rasir.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe
324	rasir.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2944	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2084 wrote to memory of 2944	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2084 wrote to memory of 2944	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2084 wrote to memory of 2944	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2084 wrote to memory of 2544	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2084 wrote to memory of 2544	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2084 wrote to memory of 2544	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2084 wrote to memory of 2544	2084	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2944 wrote to memory of 324	2944	wymuy.exe	34
PID 2944 wrote to memory of 324	2944	wymuy.exe	34
PID 2944 wrote to memory of 324	2944	wymuy.exe	34
PID 2944 wrote to memory of 324	2944	wymuy.exe	34

C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
"C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\wymuy.exe
  "C:\Users\Admin\AppData\Local\Temp\wymuy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\rasir.exe
    "C:\Users\Admin\AppData\Local\Temp\rasir.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7b52d06d75d584f893caa0360974f8bf

SHA1
d5a239225dfd50d20337283adcd31ae8ccf860c8

SHA256
43b69aee365c7c59018d2457e278dddaa48cabd8a32bb4f87ef707fa5addc371

SHA512
be019af072302252e89f38cc9457e7b36f792297b834d375be0ca595ae3a715fe2fa1f68fe0654c23e1288eb1c483b74defa680ab69c0e360083ae4b54429e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
85f83fc84385c354b3c4b16583f347d3

SHA1
01544de32d5c311f020dc92954bc9efdda41c592

SHA256
7680b63eded19f78ec1b88448c477c9e9c6680461b02d6346b1a72632c291ed1

SHA512
c9a91c21e69731c5e4abaa88a4ddcd2a2ca0f79ad899f8b7745c490a1ee34200e98c25e45f9b949658d5c69d408e4a2a1933760abe3ace05a1593b5824df7e33

Download Submit
\Users\Admin\AppData\Local\Temp\rasir.exe

Filesize
236KB

MD5
77e169b116adc4b82107411766c80b1d

SHA1
8960b34af765f0150ea80c6addc61542f89c12d2

SHA256
200fe0120c90e367a8252713702a88f00c2900fa304e7ce9178ff82b75fffdf2

SHA512
2ad0768e57739e2581c240b2fb2c6cb5f5973e5ac15d576a9293522c25df614af883d06347fca6bedc25aa0945243f5b142b3ca2ec26671130573d4ba16a957c

Download Submit
\Users\Admin\AppData\Local\Temp\wymuy.exe

Filesize
533KB

MD5
0b5f80390a5a0b58ec882d24ec91b8cb

SHA1
f9f08c85a68f3ee7eef3804f39556d75f9c8d67d

SHA256
f3957f7ca5748097511bccfc7d7f6c61800bd20348541252a4c486e58161b4b2

SHA512
0d1a82e0c3c755e336fdbdb104d3eea2a2b48f5e06f2b29e76963b4f365361d780c2a8d3da1c5d3c564428dbc6be702258564a436ad40f3c6a52675e075b29da

Download Submit
memory/324-31-0x00000000001B0000-0x0000000000253000-memory.dmp

Filesize
652KB

Download
memory/324-35-0x00000000001B0000-0x0000000000253000-memory.dmp

Filesize
652KB

Download
memory/324-34-0x00000000001B0000-0x0000000000253000-memory.dmp

Filesize
652KB

Download
memory/324-33-0x00000000001B0000-0x0000000000253000-memory.dmp

Filesize
652KB

Download
memory/324-32-0x00000000001B0000-0x0000000000253000-memory.dmp

Filesize
652KB

Download
memory/324-29-0x00000000001B0000-0x0000000000253000-memory.dmp

Filesize
652KB

Download
memory/2084-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2084-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2944-25-0x0000000003EC0000-0x0000000003F63000-memory.dmp

Filesize
652KB

Download
memory/2944-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2944-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2944-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download