urelas | 914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04

Analysis

max time kernel
150s
max time network
95s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Size

440KB
MD5

2fdc20c1e32fa67a507b5ffca485c8c2
SHA1

0b6d7cf42541f7127679a98c0e998349e15ee8f4
SHA256

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04
SHA512

7ae476b7952eb479c3b7931ed71a7cf2c9f0894f5ccff2ad130c327f5a8b91f18c49c892a0a723e3ba3bc53194a39a56f7e58dce1de0a85ba6a425d136afc01a
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjC:oMpASIcWYx2U6hAJQnr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2948	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

biujm.exerajyda.exetuojs.exe

pid	Process
1860	biujm.exe
2732	rajyda.exe
2084	tuojs.exe

Loads dropped DLL 3 IoCs

Processes:

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exebiujm.exerajyda.exe

pid	Process
3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
1860	biujm.exe
2732	rajyda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rajyda.execmd.execmd.exetuojs.exe914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exebiujm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rajyda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuojs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biujm.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

tuojs.exe

pid	Process
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe
2084	tuojs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exebiujm.exerajyda.exe

description	pid	Process	procid_target
PID 3004 wrote to memory of 1860	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	29
PID 3004 wrote to memory of 1860	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	29
PID 3004 wrote to memory of 1860	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	29
PID 3004 wrote to memory of 1860	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	29
PID 3004 wrote to memory of 2948	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 3004 wrote to memory of 2948	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 3004 wrote to memory of 2948	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 3004 wrote to memory of 2948	3004	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 1860 wrote to memory of 2732	1860	biujm.exe	32
PID 1860 wrote to memory of 2732	1860	biujm.exe	32
PID 1860 wrote to memory of 2732	1860	biujm.exe	32
PID 1860 wrote to memory of 2732	1860	biujm.exe	32
PID 2732 wrote to memory of 2084	2732	rajyda.exe	33
PID 2732 wrote to memory of 2084	2732	rajyda.exe	33
PID 2732 wrote to memory of 2084	2732	rajyda.exe	33
PID 2732 wrote to memory of 2084	2732	rajyda.exe	33
PID 2732 wrote to memory of 2816	2732	rajyda.exe	34
PID 2732 wrote to memory of 2816	2732	rajyda.exe	34
PID 2732 wrote to memory of 2816	2732	rajyda.exe	34
PID 2732 wrote to memory of 2816	2732	rajyda.exe	34

C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
"C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\biujm.exe
  "C:\Users\Admin\AppData\Local\Temp\biujm.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\rajyda.exe
    "C:\Users\Admin\AppData\Local\Temp\rajyda.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\tuojs.exe
      "C:\Users\Admin\AppData\Local\Temp\tuojs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
335337b9377ce25dc6f425bdb4710c04

SHA1
0e8d1b3a4625acfa3e90f192a756b9bd3cf2b459

SHA256
ecde50a9f50d9d109ba4263d4256a708da68f8c57f2354c35c5243df3fb35d98

SHA512
88e01ba11170f66387d77a4c558945845e6255a74f41da7a9c3ff1fa37d8ce7d6e13113e70a6546a56ad46e17da9d806c8e3c3b63308f865a90badabdc9a601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c91287c818633a34eb953a524233278c

SHA1
b25787378e780237af5f41a690daa5cf972d9c22

SHA256
196aa329db85b7c8301c1d15555cf743df2beb48dacbbd58e334bb31cb6f61a1

SHA512
c4645165df2709e8338c2fde6a0b179596d99b7716c4ef3e1f764f2f55414951736dee52d32552004433b2c3fd4fd926bdd8ebc233101870b5ad03ee8187e5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
35b38988a44df63600d4113e1ce7191a

SHA1
a8f3d538d68758934b7ff02f36ec3f509bd94cbc

SHA256
4f11628ee7e0a8d08da3d8f0a6855660dac608f6c9c920c63c97767c43c49a9b

SHA512
fd60967ff6fcaac3a29c629d9b562580536e90c90d902b8622dc1fd2c31f867fa203304b9a9f324c6b8cf6fe6b76d9936b56cf67086f4adf65f20cba0515d6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rajyda.exe

Filesize
441KB

MD5
46b991f4376bc2fa855d24506c357ae9

SHA1
e437c715b7c9f518fefa713dd183e404925c0e09

SHA256
122fa2a75e272c436bc1e04a753f04e5536026d6943746d9ffd1ad3a9a904783

SHA512
dd986f3e9761e29ced025f285fac4a0154057d8c88c0d4ab757f8d63d1e9cb827fdba01dafc8fbf68ee234dd888d24ae90bbbfe499af27d54e7c3714bf09c62e

Download Submit
\Users\Admin\AppData\Local\Temp\biujm.exe

Filesize
440KB

MD5
8b6d0d5ec9918cf6f7a9b3259b0f27ac

SHA1
d883cc895022adcfc8eef382c49a90c4b6ec6ec6

SHA256
ffa5f1e67fa15ecf7827fdba69c4634e4c149a7971c0f68b58fc680cdf94f5ed

SHA512
2af11cf1210f40d955bdbbe1602658ab446ba74ce5aa80bf3996f1714bb02908d23fd06ac2dc9c26557d74fa78dcfd2c20ca9b8f59fac1b074da4be15572df23

Download Submit
\Users\Admin\AppData\Local\Temp\tuojs.exe

Filesize
223KB

MD5
7ef3789224b0233b1030260fb2eb3306

SHA1
18224a8b37e3f46bd0f55db5182dc1d27cd658de

SHA256
e9c4bc25f33f2764fc35268976db4d91d3bb35e83908326934c4aa40133781bf

SHA512
64ac67ad57ba755c95b0a78d5c338d86057d233f24eda36cd5df6713e8d34a151dbbf4c37b6d18572e2bc101dda6197ca7239a4a35b4e2893e0b822b64fe4f6a

Download Submit
memory/1860-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1860-24-0x0000000003080000-0x00000000030EE000-memory.dmp

Filesize
440KB

Download
memory/2084-52-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2084-51-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2084-48-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2084-50-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2084-49-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2732-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2732-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2732-35-0x00000000037E0000-0x0000000003880000-memory.dmp

Filesize
640KB

Download
memory/3004-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3004-22-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download