urelas | 9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Size

298KB
MD5

c67a987ab822839bc87ad45a05a02c5c
SHA1

7c28f3f391e504d0ff3c181cdcc7a01e93d566b6
SHA256

9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188
SHA512

f8f4a06efa8f0d3353a6ca716a8e75cc63d7971915a6b59312b2214cdd7cdb5e1b1320dae5cf7701a065de961d111d550bcdfbdc1dd8a81ffc284e161fc65e79
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXS7:Y4npK2y8zzkGHVqoq/gKU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2056	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	popot.exe
1352	ihjys.exe

Loads dropped DLL 3 IoCs

pid	Process
2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
2072	popot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihjys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	popot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe
1352	ihjys.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Token: SeIncBasePriorityPrivilege	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Token: 33	2072	popot.exe
Token: SeIncBasePriorityPrivilege	2072	popot.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2072	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	30
PID 2496 wrote to memory of 2072	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	30
PID 2496 wrote to memory of 2072	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	30
PID 2496 wrote to memory of 2072	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	30
PID 2496 wrote to memory of 2056	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 2496 wrote to memory of 2056	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 2496 wrote to memory of 2056	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 2496 wrote to memory of 2056	2496	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 2072 wrote to memory of 1352	2072	popot.exe	34
PID 2072 wrote to memory of 1352	2072	popot.exe	34
PID 2072 wrote to memory of 1352	2072	popot.exe	34
PID 2072 wrote to memory of 1352	2072	popot.exe	34

C:\Users\Admin\AppData\Local\Temp\9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
"C:\Users\Admin\AppData\Local\Temp\9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\popot.exe
  "C:\Users\Admin\AppData\Local\Temp\popot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\ihjys.exe
    "C:\Users\Admin\AppData\Local\Temp\ihjys.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
39098ca9359155e9d3ad9ac51cc6a2aa

SHA1
9dbfc360fe7ee82f19bd2630305db83c0784392e

SHA256
37ed72b787227ade5095f592ddb503e1409cc6a194e95ec7b070ce24b10467f1

SHA512
4e38255b68f06de799a034b39c900d3d35d82778bb8b6b8311fc006820556ec610cd8546ffe2e75ccad5d5effcaa6d84009b68f919a40b4c84ac5e2c5f940e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
062ea4d38bc7901038ed61f28428b23c

SHA1
c806897f5483e7f1b667ccc3794a1d4584f9ee16

SHA256
fd4de0fdcc4be1248bac453a952802be77e561fc73e0143db54ea048f6be58eb

SHA512
42a30c31a9e87f09ae50eb27d9c62f2e079a20c07311d7d51920d0401bec565fd1365474fc1259cfa23d84f8584b32d63e6b35948271a92820d768af8912ffb4

Download Submit
\Users\Admin\AppData\Local\Temp\ihjys.exe

Filesize
203KB

MD5
520337255bc29396310d6c537dc397e6

SHA1
0eda4649477e0ba5c9a879932d4fb8fac40e2a46

SHA256
d3da41ec59257d5d36c8a9c24bbf3e6ad8ac6181a4115f31ff62c25819f81ec0

SHA512
6945648d289ba835749edbc7d26ffc1053662bcffa0cad95154af19d897a7eee37f22d0d2bbd3ebfa83dc2db96fc75fcdefddabe4c87f8d7c2206406822de5ee

Download Submit
\Users\Admin\AppData\Local\Temp\popot.exe

Filesize
298KB

MD5
ef0be8fab1ad538e953ff9f71de60425

SHA1
3dbd1bff72a2e38b1d9af1049e932a87b46728f6

SHA256
d3abc7c95a463401a8f1013b65b8bf68451e3d4d0c727318d5d28fe13eea1d6b

SHA512
9ca3f71bf3a6df690f56929bb4f96b5500aff3d4c03e8d05f80fcad2be8b327c1f6936d42c3bcab0183858b602303e69d7e9b6c95f1d2217c1ebd4d4e353b782

Download Submit
memory/1352-53-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1352-52-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1352-51-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1352-50-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1352-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1352-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1352-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2072-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2072-43-0x0000000003B60000-0x0000000003BFF000-memory.dmp

Filesize
636KB

Download
memory/2072-45-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2072-28-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2072-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-25-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2496-13-0x0000000002C50000-0x0000000002CEB000-memory.dmp

Filesize
620KB

Download
memory/2496-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2496-11-0x0000000002C50000-0x0000000002CEB000-memory.dmp

Filesize
620KB

Download
memory/2496-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download