urelas | ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5

Analysis

max time kernel
120s
max time network
56s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/11/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
Size

463KB
MD5

f0f931769302c8ea85a3b5249f1c46d9
SHA1

e316425b3c0c7bd022387a03676a2bce3e6d4195
SHA256

ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5
SHA512

89ce7cbcc3b0441f3d50379271c7a13d93bfd95926394631f5ab2d7e284287cac3b58e09ff2c751a6506c289dddfbe22281e9444dde088b5e95d82e83278e94f
SSDEEP

6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpm+:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsud

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	sander.exe
1796	ctfmom.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
2328	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe
1796	ctfmom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2328	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2520 wrote to memory of 2328	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2520 wrote to memory of 2328	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2520 wrote to memory of 2328	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2520 wrote to memory of 2540	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 2520 wrote to memory of 2540	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 2520 wrote to memory of 2540	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 2520 wrote to memory of 2540	2520	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 2328 wrote to memory of 1796	2328	sander.exe	34
PID 2328 wrote to memory of 1796	2328	sander.exe	34
PID 2328 wrote to memory of 1796	2328	sander.exe	34
PID 2328 wrote to memory of 1796	2328	sander.exe	34

C:\Users\Admin\AppData\Local\Temp\ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
"C:\Users\Admin\AppData\Local\Temp\ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
161e6cc63a9e7ae7cce5dbf60ae08016

SHA1
42a38c983a7720b6921fd430dd01356212a72313

SHA256
4aa01d33ca6949975b4d5c6012167a8b34c5ae6f8bb0299d47e0beb0f37b0781

SHA512
4900d5af54929dd98668a1754435513bcb4785724ae07f3f75efdd47356b4f9d511529b8d5291c0d8d66fa855aa67b4a5577a8fe998813d06f0f0e3b75c21f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
05a396fd46c919e9364b86869760d5b7

SHA1
2d8a7e381675f5bb14a4f1b7266f98d89a8b9700

SHA256
17c32f147eb0648cdffddcacb958819321447a95f14d0df424b8436198203102

SHA512
022f688c04050a4bfdc0118a778f84837138eb0746e6bbed3396bc11602cc90574602901ac1924654a54472d7623bc47d747e60de0dd96d58bfbbfb5ca5c269f

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
463KB

MD5
2d552e54f8b8b248f5d7a4581fd8ba46

SHA1
e66adc3966b9e8150b85227c5b898c9d139a3d11

SHA256
009c601153beb940c9fa7a1e4c7a04d78b385e7192b2097b8463821df26f8cd2

SHA512
1eedda473b7a6bd65726dc0cf632254dfe93da6dd987e6585c3272a68cd9beb50f7cc8b951e19bf22f7e47cf47b71f5a7f1ec523df7b690479e9aafa710844ee

Download Submit
memory/1796-30-0x0000000000EE0000-0x0000000000F81000-memory.dmp

Filesize
644KB

Download
memory/1796-35-0x0000000000EE0000-0x0000000000F81000-memory.dmp

Filesize
644KB

Download
memory/1796-38-0x0000000000EE0000-0x0000000000F81000-memory.dmp

Filesize
644KB

Download
memory/1796-37-0x0000000000EE0000-0x0000000000F81000-memory.dmp

Filesize
644KB

Download
memory/1796-36-0x0000000000EE0000-0x0000000000F81000-memory.dmp

Filesize
644KB

Download
memory/1796-34-0x0000000000EE0000-0x0000000000F81000-memory.dmp

Filesize
644KB

Download
memory/1796-33-0x0000000000EE0000-0x0000000000F81000-memory.dmp

Filesize
644KB

Download
memory/2328-29-0x00000000012E0000-0x0000000001362000-memory.dmp

Filesize
520KB

Download
memory/2328-25-0x00000000037E0000-0x0000000003881000-memory.dmp

Filesize
644KB

Download
memory/2328-11-0x00000000012E0000-0x0000000001362000-memory.dmp

Filesize
520KB

Download
memory/2328-21-0x00000000012E0000-0x0000000001362000-memory.dmp

Filesize
520KB

Download
memory/2520-0-0x00000000001A0000-0x0000000000222000-memory.dmp

Filesize
520KB

Download
memory/2520-18-0x00000000001A0000-0x0000000000222000-memory.dmp

Filesize
520KB

Download
memory/2520-8-0x0000000000660000-0x00000000006E2000-memory.dmp

Filesize
520KB

Download