urelas | 4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe
Size

336KB
MD5

362cea37b4515362a69bbdbf1114b700
SHA1

eea2d6bcf28637859873bb040eb63ca183aff830
SHA256

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3
SHA512

e0a76b767f46ced49414b3ee0d9fb3faa746be5a0133bc06a474d7c5600b769390c1250f2605f514e993794f74ec71a6b7bc9808b48733d116c87576ab4d0ac7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRA:vHW138/iXWlK885rKlGSekcj66ci2m

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2092	goatc.exe
2164	loxeq.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe
2092	goatc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loxeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goatc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe
2164	loxeq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2092	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	30
PID 2096 wrote to memory of 2092	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	30
PID 2096 wrote to memory of 2092	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	30
PID 2096 wrote to memory of 2092	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	30
PID 2096 wrote to memory of 2124	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	31
PID 2096 wrote to memory of 2124	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	31
PID 2096 wrote to memory of 2124	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	31
PID 2096 wrote to memory of 2124	2096	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe	31
PID 2092 wrote to memory of 2164	2092	goatc.exe	34
PID 2092 wrote to memory of 2164	2092	goatc.exe	34
PID 2092 wrote to memory of 2164	2092	goatc.exe	34
PID 2092 wrote to memory of 2164	2092	goatc.exe	34

C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe
"C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\goatc.exe
  "C:\Users\Admin\AppData\Local\Temp\goatc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\loxeq.exe
    "C:\Users\Admin\AppData\Local\Temp\loxeq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
476212ace4b11e6545bf385d85d0b5f5

SHA1
801785d558f766f8e6b5646bf15ffe9f4ebc7e42

SHA256
d7b50bf22f81a6c1cae7d766345a68bcb0ba8a85bd943beaf7300077a0e038ca

SHA512
6ceee9e2aebc9cdc18328c5846060a823e58c6efff378bc84083f2e25569bdc5de5851833c95a51f09e854dfe51aadb356cdcf0457230987125adff322b5c01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e78218c52b6908715dbe555c6dc5ced1

SHA1
0d559421dbb6fb4a948accef93c8010fc89f3b31

SHA256
6559293dfbb0b48ca6758f6c1eb5287415b615be6b7b3173660891796a706c33

SHA512
3d42809d2ff3e130a96d471507114cbebbbd66bf8455de0064600b29197114c35150f00f1d06b4dcbcb0652d00136557f4dbb0459630c6b39f1222ea6f866860

Download Submit
\Users\Admin\AppData\Local\Temp\goatc.exe

Filesize
336KB

MD5
efd2632c88c71038b8b7445fc2e19132

SHA1
9e99d661a8e686de8c242d7735f3628068a2fe3d

SHA256
b2d79eedd50cc1174b50f465ce2d196107e5a6c2e5bb52bbba5625a6021266eb

SHA512
0c7af022df79105967d6153b7c7bcdf2dfb4e241cae9b22194e532ba64b7c31759252e7dd2e5ab327a035a15a09726831332c9c906b2bb7b60c38621467edac1

Download Submit
\Users\Admin\AppData\Local\Temp\loxeq.exe

Filesize
172KB

MD5
2f6dbe7244b82c7317a2fc5fef7f60d9

SHA1
1afcc99d1a417b6eebaba1cfa246f2ed7e4a47e9

SHA256
8609089087d9953eec9ffe6df1e6a04384c92292f5004f639519a79d633b8d64

SHA512
ad8de3b0e44100d4ddf0f0fe76582a27324feeb8caaf4c8a9714c0f3cda41217a0fa083804a8d64336cf85a8142a954fc8a5919d4b9165c8cfdc915eb07d0f90

Download Submit
memory/2092-39-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2092-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2092-18-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2092-23-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2096-20-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2096-17-0x00000000027C0000-0x0000000002841000-memory.dmp

Filesize
516KB

Download
memory/2096-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2096-0-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2164-41-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2164-40-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2164-45-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2164-46-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2164-47-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2164-48-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2164-49-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download