urelas | da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f

Analysis

max time kernel
149s
max time network
78s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05/12/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
Size

514KB
MD5

91b0994aae31d7a21d910f3022501e9d
SHA1

53cc2876b04a7e80ef64f7c2cb8f28b4de652176
SHA256

da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f
SHA512

57aa2a357a9483bed17eb5bda655fd9cec4f592a649867e1aea4d89b9e723ed4be2d0219c2750317454fc098ccb310b2e42ffec3bd19c2e17a121a90e50caa72
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo1:3MUv2LAv9AQ1p4dKI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2944	kavuq.exe
2684	ybxog.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
2944	kavuq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ybxog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kavuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe
2684	ybxog.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2944	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	29
PID 2532 wrote to memory of 2944	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	29
PID 2532 wrote to memory of 2944	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	29
PID 2532 wrote to memory of 2944	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	29
PID 2532 wrote to memory of 2732	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	30
PID 2532 wrote to memory of 2732	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	30
PID 2532 wrote to memory of 2732	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	30
PID 2532 wrote to memory of 2732	2532	da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe	30
PID 2944 wrote to memory of 2684	2944	kavuq.exe	32
PID 2944 wrote to memory of 2684	2944	kavuq.exe	32
PID 2944 wrote to memory of 2684	2944	kavuq.exe	32
PID 2944 wrote to memory of 2684	2944	kavuq.exe	32

C:\Users\Admin\AppData\Local\Temp\da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
"C:\Users\Admin\AppData\Local\Temp\da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\kavuq.exe
  "C:\Users\Admin\AppData\Local\Temp\kavuq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\ybxog.exe
    "C:\Users\Admin\AppData\Local\Temp\ybxog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
35817d34375f348ae1f9b91d661b2ffe

SHA1
feabcd3b81cd5ad05fab936a28ba487b61566ba5

SHA256
3549519a27d8c0675de160580f4c34114920ecadefe039d0b7043bf0517b5646

SHA512
962fbf205d3af9b760189edb85bc3fc23ec7c0c64d3ee60497bb1df7dc65d78f186acd1e42a388311c05900f4ab25203f251f14349193e2c3a43ba17d40d83bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
87735bf417b4339b0fc85d497031bfaa

SHA1
48e6f29f7443d31ac85daacbfd8275326ba752a7

SHA256
604ab2f0c9ccafc8a8a0871843cfd2c230db8ecea21af9404fc1dc016f220832

SHA512
561964707ddf0437076f4423d03b555369d3517ead34c114e80b435760230a289afafb39bd13970c23288cb6f7866acf08ccf2cb415cc1ba35e1e4b47f9f5390

Download Submit
\Users\Admin\AppData\Local\Temp\kavuq.exe

Filesize
514KB

MD5
c060ee68665a876bf1290172c03ee783

SHA1
586b80f94e467c45058b5642b46f4da913ee5325

SHA256
68186ebd8a3d6be23421d1b54ee35d79fa04744f442a77d0defed4f8a378b71e

SHA512
56d7e58a20288a4a0b6170b3b2e1d437db1967501cbbb9b8c0763a7d6b0ca88189aeefa1c575883207f1f59c7ffb7619fe8e3b1532f4c3e4647f6dc00346afa9

Download Submit
\Users\Admin\AppData\Local\Temp\ybxog.exe

Filesize
172KB

MD5
529e1e3d946aa9bb3b9965c98a9a0011

SHA1
6f49517b4be6d0f6221081609802feacdcc7c7a2

SHA256
288cbf26ca7c2b2cdce523f6482dd5000be18963ad7d9ef6ccff559c15269290

SHA512
15ed9d19dd09680577f08eaf2cb03bf84018a0647fed7a624652b2f87fabe87506c1965198ac3bb0469540ee3e538cef7cf2e6ed871ef819c7fd56db3e4e640e

Download Submit
memory/2532-0-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2532-8-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/2532-18-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2684-30-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/2684-31-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2684-33-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/2684-37-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2684-36-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/2684-38-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/2684-39-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/2684-40-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/2684-41-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/2944-21-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download
memory/2944-26-0x00000000032C0000-0x0000000003359000-memory.dmp

Filesize
612KB

Download
memory/2944-16-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download
memory/2944-28-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download