urelas | d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc

Analysis

max time kernel
150s
max time network
83s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
Size

327KB
MD5

21aa8a97134af1d02680d1663104bff5
SHA1

831ddd59a95c1c636e5a436e759ca8e2ce92cb87
SHA256

d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc
SHA512

be46e879c6295a7894ca01bf70e5a0ad41eed05977f6b37f334cdf798d7ec0d0ad7199c70cfef5eef1061e6218cbe4a24855949cb7891c7e28cbfd8a00e854ad
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66ci7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
872	uggei.exe
2860	semov.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
872	uggei.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uggei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	semov.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe
2860	semov.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 872	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	30
PID 1688 wrote to memory of 872	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	30
PID 1688 wrote to memory of 872	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	30
PID 1688 wrote to memory of 872	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	30
PID 1688 wrote to memory of 2912	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	31
PID 1688 wrote to memory of 2912	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	31
PID 1688 wrote to memory of 2912	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	31
PID 1688 wrote to memory of 2912	1688	d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe	31
PID 872 wrote to memory of 2860	872	uggei.exe	34
PID 872 wrote to memory of 2860	872	uggei.exe	34
PID 872 wrote to memory of 2860	872	uggei.exe	34
PID 872 wrote to memory of 2860	872	uggei.exe	34

C:\Users\Admin\AppData\Local\Temp\d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe
"C:\Users\Admin\AppData\Local\Temp\d1b20cc74a975e8eb83c41cfa9105f03b5fd676ec99ee3b551ca004623effabc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\uggei.exe
  "C:\Users\Admin\AppData\Local\Temp\uggei.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\semov.exe
    "C:\Users\Admin\AppData\Local\Temp\semov.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1b9ff2150ddd1e9755f7aa1e4a0f45e5

SHA1
54de279e4de57893783f503bdc41ea27aa7f0bf7

SHA256
ff1093f77a866b52f10cdf6488e5a1496abda1f80a8a9ae00fe5e5c02a7070b8

SHA512
839cf53d4563e0ec6d825e302b00d5fb66fc29cc31845dfaf3137cc135b95497efc88f5c48603f104b525ed0d0693958c2f83b6660ec3bfa2b3d7e2af47c8108

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c239206d6abb22098bc026f8a1fec63b

SHA1
5593e904f23b7d8f44764937942ac171529a2ee8

SHA256
e60fc7f4d918e03eb02fd5f9f5df7669d53622398faeec5a0223d336e9eb0bc7

SHA512
53cd1a441d484917357b1e23482341997768c47068e1482f7fd88194021c3a8c672ffa85d40e79866c0a834df50b6afb8d431838289e6afe8932b4eabd720d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\semov.exe

Filesize
172KB

MD5
586668de99a0c0a4ecca2155e7d36fa4

SHA1
3be25e6061c63efef722489c4ff8949daade6a94

SHA256
6e7bc4a7741dbe0b0b623e54310d5a2067adc386b8af804ac6e16a952fe511bf

SHA512
15435314651eb19d7b39eab5a5bedcb1429ee0f224eee584a40fa4a70e5ee44b795718517a5bd0b27c107af7791161980c1e0780c5fd6b86c892ec38f380e836

Download Submit
C:\Users\Admin\AppData\Local\Temp\uggei.exe

Filesize
327KB

MD5
7db5232c09e0565a320ec3b7eca49178

SHA1
627cdb761cde6c8b838a542c573b94c8ce466559

SHA256
f723e7876905367c0d43bab64b557b72052966411ee85f49ca4767fa3d153a19

SHA512
bc932abbce617e9b6b8f63bc356cd87a7d1a3eeff8537dd61f0207a7114fb29a02fb05e7ee6821faddf30861dde0088718554de36b97f36c815f551d53ea8c09

Download Submit
\Users\Admin\AppData\Local\Temp\uggei.exe

Filesize
327KB

MD5
94f7190de342c11fcd82dceb31b87984

SHA1
5bcf1b1cbcd298736d6f6248a0ca3cfb915e6bdb

SHA256
91935e13e5b7b6160c3ba548bb53f7accdbfcdb36805c942de4e3da078c44d34

SHA512
baa59c11d4533c6c6448bab6dcb4325b5beb8690e72821d3ae8a751ad1879a91fa05f8763fb6dfbbb0d163faa1f30cac55ed410c20393e67a2d37135b15220ec

Download Submit
memory/872-38-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/872-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/872-23-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/872-11-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/1688-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1688-20-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/1688-0-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/1688-8-0x00000000028C0000-0x0000000002941000-memory.dmp

Filesize
516KB

Download
memory/2860-41-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2860-40-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2860-46-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2860-47-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2860-48-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2860-49-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2860-50-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download