urelas | ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/11/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
Size

463KB
MD5

f0f931769302c8ea85a3b5249f1c46d9
SHA1

e316425b3c0c7bd022387a03676a2bce3e6d4195
SHA256

ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5
SHA512

89ce7cbcc3b0441f3d50379271c7a13d93bfd95926394631f5ab2d7e284287cac3b58e09ff2c751a6506c289dddfbe22281e9444dde088b5e95d82e83278e94f
SSDEEP

6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpm+:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsud

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1244	sander.exe
3056	ctfmom.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
1244	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe
3056	ctfmom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1244	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2700 wrote to memory of 1244	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2700 wrote to memory of 1244	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2700 wrote to memory of 1244	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	30
PID 2700 wrote to memory of 2108	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 2700 wrote to memory of 2108	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 2700 wrote to memory of 2108	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 2700 wrote to memory of 2108	2700	ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe	31
PID 1244 wrote to memory of 3056	1244	sander.exe	34
PID 1244 wrote to memory of 3056	1244	sander.exe	34
PID 1244 wrote to memory of 3056	1244	sander.exe	34
PID 1244 wrote to memory of 3056	1244	sander.exe	34

C:\Users\Admin\AppData\Local\Temp\ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe
"C:\Users\Admin\AppData\Local\Temp\ef90c36a0b256ba711493b66fe20500123dbfd30263c2598e1f392bf547c75d5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
161e6cc63a9e7ae7cce5dbf60ae08016

SHA1
42a38c983a7720b6921fd430dd01356212a72313

SHA256
4aa01d33ca6949975b4d5c6012167a8b34c5ae6f8bb0299d47e0beb0f37b0781

SHA512
4900d5af54929dd98668a1754435513bcb4785724ae07f3f75efdd47356b4f9d511529b8d5291c0d8d66fa855aa67b4a5577a8fe998813d06f0f0e3b75c21f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
0fe0dd44034f123e12875b4f88b8cc89

SHA1
a7c0fea3aad535bf1506097c116fb025696c9377

SHA256
d724c58d46e173f3fa56ea5b35d78f5accf48e9ce59432277776e8bf403ccf92

SHA512
846ea2020f20fcf3b2f95266f5bfa875d2dee573ec577d4bea415334ef82c91d28dba3818fe79286907afbeeb7aca24c1783c3ba2ec1b49f40dfc4cd134ba802

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
463KB

MD5
a4fd6997ff4dc6df49869d23cfd07746

SHA1
85962f980d8faec6cb8c19d59e3b9fb0a99b0977

SHA256
bc4f49dcc54406d5e1dd42a8788617ef168c6e6de8cb8308e1b5157c23ed8092

SHA512
1f38271147644bcf98f278e5bbcd524cfa69691d117b25f313ccacdc0a64ed32692c0695b40615dc5ec19cb08aee5469514f7c79db9c9a6ed209cb70089c6d5d

Download Submit
memory/1244-10-0x0000000000F10000-0x0000000000F92000-memory.dmp

Filesize
520KB

Download
memory/1244-29-0x0000000000F10000-0x0000000000F92000-memory.dmp

Filesize
520KB

Download
memory/1244-26-0x00000000032E0000-0x0000000003381000-memory.dmp

Filesize
644KB

Download
memory/1244-21-0x0000000000F10000-0x0000000000F92000-memory.dmp

Filesize
520KB

Download
memory/2700-18-0x0000000000D10000-0x0000000000D92000-memory.dmp

Filesize
520KB

Download
memory/2700-0-0x0000000000D10000-0x0000000000D92000-memory.dmp

Filesize
520KB

Download
memory/2700-9-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/3056-30-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-31-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-34-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-35-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-36-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-37-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-38-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-39-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-40-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download
memory/3056-41-0x0000000001210000-0x00000000012B1000-memory.dmp

Filesize
644KB

Download