urelas | 03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
Size

537KB
MD5

cd8f8d72550c4fc793b2da453251ae5a
SHA1

7856e981408deea7ff865db131f03b7417175c38
SHA256

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865
SHA512

815d0a545504969a977aea9c6c976532275344a5f556cabe57f4a5f683fd02054f54fe01cd1d77412f25edd254363fdb3f24d47282529a1d80cf7de438e4e8fb
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP3:q0P/k4lb2wKat3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	uvkaq.exe
3016	ubyvw.exe

Loads dropped DLL 2 IoCs

pid	Process
1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
2004	uvkaq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvkaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubyvw.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe
3016	ubyvw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2004	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	30
PID 1744 wrote to memory of 2004	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	30
PID 1744 wrote to memory of 2004	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	30
PID 1744 wrote to memory of 2004	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	30
PID 1744 wrote to memory of 2920	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 1744 wrote to memory of 2920	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 1744 wrote to memory of 2920	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 1744 wrote to memory of 2920	1744	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 2004 wrote to memory of 3016	2004	uvkaq.exe	34
PID 2004 wrote to memory of 3016	2004	uvkaq.exe	34
PID 2004 wrote to memory of 3016	2004	uvkaq.exe	34
PID 2004 wrote to memory of 3016	2004	uvkaq.exe	34

C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
"C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\uvkaq.exe
  "C:\Users\Admin\AppData\Local\Temp\uvkaq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\ubyvw.exe
    "C:\Users\Admin\AppData\Local\Temp\ubyvw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
37dac236676a663a57ed8089ca8225f7

SHA1
0a5b5119067a9dcb2a19f3b0a1732527c857e664

SHA256
b9130b9721de831ae89992a64bef70d6d7561403b4f45903c8f534da6cebf059

SHA512
bfbb2da2f9d9929105308462d60c1ba9e3fe1819d89e8f216744a68baf9fcee225eb9bf1efcaad6d46a6dc2bd7ab55649756d48705105efac2fad4942746ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4301d13072c103d5e184b0217740466e

SHA1
19d4eb9ee67d676a403662c08346151f274e554a

SHA256
f418d7970cb5cab3299f21ceb166c21e18ea57e2e1ccffbb3021a6229b4122ee

SHA512
b9be4bb2ff6218d3f715cb414cb1df0ce25093135c84e3d7642d5235d5549ea5741b502b1ce072fad744f6fd2cfa4793fe7f713ff60065c21f2b21b39b089f3a

Download Submit
\Users\Admin\AppData\Local\Temp\ubyvw.exe

Filesize
236KB

MD5
35b3ffb90991f6955d34c7fe86981bbd

SHA1
fd1a7332c3b2012e2842f292179ca28c01d78a3e

SHA256
9939c8d4e3a201354c8c6e0369dc371a8e03e79e54dc168f1b6a03a3a69a58e2

SHA512
d74d0db1fd9897812b008193b343a57cb9c2d3779cb704d30a41177fd21752a4ebd35bc88533b9d28cda0a1305a1c01e318823cb70d8d80b2683a439074b6609

Download Submit
\Users\Admin\AppData\Local\Temp\uvkaq.exe

Filesize
537KB

MD5
ed82e827af39068822e4664756523a21

SHA1
7113c156ff0f2a9b9b7f144532ecf06d64bc763e

SHA256
a84c10addafaddc42975edf63efca20b1b6ce7c5589a93619df98cc33fb98b87

SHA512
30b1c3b969702a8a1b370691b244e6ea54eb7bda3f97bbf4d90107cdc0dc4834e514f8988fbadb50f65f02b775cffc93285ff99478a5ea2bb1316205d57b903b

Download Submit
memory/1744-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2004-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2004-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2004-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2004-26-0x0000000003BF0000-0x0000000003C93000-memory.dmp

Filesize
652KB

Download
memory/3016-29-0x0000000000130000-0x00000000001D3000-memory.dmp

Filesize
652KB

Download
memory/3016-31-0x0000000000130000-0x00000000001D3000-memory.dmp

Filesize
652KB

Download
memory/3016-32-0x0000000000130000-0x00000000001D3000-memory.dmp

Filesize
652KB

Download
memory/3016-33-0x0000000000130000-0x00000000001D3000-memory.dmp

Filesize
652KB

Download
memory/3016-34-0x0000000000130000-0x00000000001D3000-memory.dmp

Filesize
652KB

Download
memory/3016-35-0x0000000000130000-0x00000000001D3000-memory.dmp

Filesize
652KB

Download