urelas | da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe
Size

537KB
MD5

426c78ee2009d2fbb2d82175efc7ba0d
SHA1

efc24b7755e13b36d932134e72b69b90c7e474c9
SHA256

da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877
SHA512

7cb83253a06f495fb061aa20ad47e126924422548ce221b5b723fea612a9e03a3ed5f0d5ee7abad64decf0c5442b4325275ef092f3f4d70047e0ea39693d3c08
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP2:q0P/k4lb2wKat2

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1028	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	futuo.exe
1992	tyybd.exe

Loads dropped DLL 2 IoCs

pid	Process
1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe
2532	futuo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyybd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futuo.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe
1992	tyybd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2532	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	31
PID 1268 wrote to memory of 2532	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	31
PID 1268 wrote to memory of 2532	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	31
PID 1268 wrote to memory of 2532	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	31
PID 1268 wrote to memory of 1028	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	32
PID 1268 wrote to memory of 1028	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	32
PID 1268 wrote to memory of 1028	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	32
PID 1268 wrote to memory of 1028	1268	da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe	32
PID 2532 wrote to memory of 1992	2532	futuo.exe	35
PID 2532 wrote to memory of 1992	2532	futuo.exe	35
PID 2532 wrote to memory of 1992	2532	futuo.exe	35
PID 2532 wrote to memory of 1992	2532	futuo.exe	35

C:\Users\Admin\AppData\Local\Temp\da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe
"C:\Users\Admin\AppData\Local\Temp\da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\futuo.exe
  "C:\Users\Admin\AppData\Local\Temp\futuo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\tyybd.exe
    "C:\Users\Admin\AppData\Local\Temp\tyybd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c4efe819e2366edec7d643c69ee8a49b

SHA1
f244dbef613b9c583e0c6c1819d6dd5aede1d309

SHA256
b0283a7d0ebc3a71c143d882e70a5719a2554ed47d5f22d2cefdcbe5bc2d9e89

SHA512
2cac26a8d2d97fcc700e2270774d8e9c8e767a49285cc95d6ef29e80aa80026d8fa34e8100adb1fe221fc4ae68c8112c20a1c169eaebcceab559f46228a066f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
290364ebed242a3ada59226342920980

SHA1
7f0bb809b12ae537d648566fb732cee5fc975934

SHA256
410339b38c11779ce0f6f566cc07de9b5ee2f6a6f484788c2bf5268a7d07225d

SHA512
3c8ceb69ec1886c2132654f9df938e4ea07e79d27f9edc7e7ffb36e90db014a74009e190d2c85f75e26e80b8cf341d4b095ae4247802946764af1d83f38b7ffc

Download Submit
\Users\Admin\AppData\Local\Temp\futuo.exe

Filesize
537KB

MD5
c2c0aea451cbd8f49b67f7c7e3710067

SHA1
09f4c4d750300d75e4bd6d92564ca0c15c72cab9

SHA256
ebaaf423ebcef9844ac620b31d3549ca9417e088f20b4d7ff1bf663a89676722

SHA512
05587a6d282f1f31c47d8eb051fe60d42edd450f63e2888fcef66c7d9487980529210dfc7102819c39a1ac642bbbc4486e21337b6b5679c48a6195f3adf1eaa3

Download Submit
\Users\Admin\AppData\Local\Temp\tyybd.exe

Filesize
236KB

MD5
55cd2533d1fdbfdaa357a28d9fc2dbf4

SHA1
612c44127c949d493ca1a72b3830afbd99b1829c

SHA256
344be5acf5d42d7cb796bfca420e64dd3fcb7edc1329dc77fe4795b37972e607

SHA512
bc08ee45654f26f9c0bbfb62c1a4d303d180f61a05bb1ae34a6d253a8fbead954c037a52884eee5a3ed87ba02eb074ffe90bd44c51686e2c5df45d86aa726f2a

Download Submit
memory/1268-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1268-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1992-31-0x0000000000BA0000-0x0000000000C43000-memory.dmp

Filesize
652KB

Download
memory/1992-34-0x0000000000BA0000-0x0000000000C43000-memory.dmp

Filesize
652KB

Download
memory/1992-33-0x0000000000BA0000-0x0000000000C43000-memory.dmp

Filesize
652KB

Download
memory/1992-32-0x0000000000BA0000-0x0000000000C43000-memory.dmp

Filesize
652KB

Download
memory/1992-30-0x0000000000BA0000-0x0000000000C43000-memory.dmp

Filesize
652KB

Download
memory/2532-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-27-0x0000000003330000-0x00000000033D3000-memory.dmp

Filesize
652KB

Download
memory/2532-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download