urelas | f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe
Size

514KB
MD5

c92cbcab5249ad4c953242d64a7131e2
SHA1

d624b172e67a076deb2277219537c7d907e736f0
SHA256

f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d
SHA512

7f319ddf8f950d0ab7cc3eda25c61f83912ec62eff329ea5f58467993e60ba0a9d0a03966ed7e9fa11c87f9b91f5ec2ad136d5c08d778befa2ef21631d536cf9
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKoa:3MUv2LAv9AQ1p4dK3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	orokj.exe
2140	ugavt.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe
2744	orokj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orokj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugavt.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe
2140	ugavt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2744	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	30
PID 2640 wrote to memory of 2744	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	30
PID 2640 wrote to memory of 2744	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	30
PID 2640 wrote to memory of 2744	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	30
PID 2640 wrote to memory of 2944	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	31
PID 2640 wrote to memory of 2944	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	31
PID 2640 wrote to memory of 2944	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	31
PID 2640 wrote to memory of 2944	2640	f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe	31
PID 2744 wrote to memory of 2140	2744	orokj.exe	33
PID 2744 wrote to memory of 2140	2744	orokj.exe	33
PID 2744 wrote to memory of 2140	2744	orokj.exe	33
PID 2744 wrote to memory of 2140	2744	orokj.exe	33

C:\Users\Admin\AppData\Local\Temp\f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe
"C:\Users\Admin\AppData\Local\Temp\f87ff597c610ff3964b970f2cbc04af27a320265f396b41cb542ec598edd1c0d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\orokj.exe
  "C:\Users\Admin\AppData\Local\Temp\orokj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\ugavt.exe
    "C:\Users\Admin\AppData\Local\Temp\ugavt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
45e2dd4e6eba7a9c565272263e223e6d

SHA1
60d28ef14e5c64bca432734428272314986a85ff

SHA256
887b088a032f29a7b089eed08172579dd1511f5298adb486ec3ce73961b250ff

SHA512
dec7940d7d83fabe44b94608bf0278eab6f06430594b1cd98340db04e45f9331f66f2c4942349192435a22d669cd3edeb8ecf742a051b9e6bf5e502c64054031

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4de7658d76d278bc4d769cd2d0c6647b

SHA1
479b6cdd5edb6748dddb98cd7c9e2a5e5153d5bc

SHA256
f44b9623242e10f638a2f8e9d03e554cabc4f102fef225ec09ad38f8ddf0f764

SHA512
f1438ae224c202682ca8df9f66ed681f3665f6264ad9a51ba10a3df263f6eec468661ab62746e9cf44c7d9518aa0e0f64c28f0a629ebce4053c0df2c21c5d46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\orokj.exe

Filesize
514KB

MD5
94bdf9a7b958ec5d1dd5f20d4af485c6

SHA1
dacb9edb1300352ecc110b62c600e7749987bc43

SHA256
1c90dde2451d9212e5c3d2609ddc92cc6f24d01edfff3d853ef8d26897743e8a

SHA512
0d603b143644e380f63231210f7e3398bb5ef1e7c3768c3cbf038a41d889e169774c0a52b3c50890c94b2bf4348e0b923279d28e89346114d43006090d3014cb

Download Submit
\Users\Admin\AppData\Local\Temp\orokj.exe

Filesize
514KB

MD5
5e9f472167fa0d740dd08a407b0cf670

SHA1
3beecbe92096a49b262b70b9b4d77fbf008ce4f5

SHA256
9fe02560c069be441437eb511ae8f5dce2069c7f228d8c33fb11f622b332fae0

SHA512
b52e6a21e32f7a9d74c449306a4bb66e88023fee89dbe80bff08b102e1c51c663e7fecc1c89bb3d4feed60403f3ec3b2e266a54a9217bcdcd0b5005b9692e6bc

Download Submit
\Users\Admin\AppData\Local\Temp\ugavt.exe

Filesize
172KB

MD5
f631040ffc39b7879818969c81344941

SHA1
d2fb6576a09a212fae0cf15eefbf7e0292d12d38

SHA256
31606786e464812d7e5e3dd9446cf84d4ae2253d2259ce1eb4010e9d66b58da6

SHA512
8b16fbb12bb27cf868008b86a0f244d2c1d6e2057cceaab587fab6a8a00635b21cc8c2ea505bbe44dc91e7019ac4c17a389b2767980548e9bb38cfe14dadb8cd

Download Submit
memory/2140-37-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2140-38-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2140-41-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2140-40-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2140-39-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2140-34-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2140-33-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2140-30-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2640-0-0x0000000001220000-0x00000000012A1000-memory.dmp

Filesize
516KB

Download
memory/2640-18-0x0000000001220000-0x00000000012A1000-memory.dmp

Filesize
516KB

Download
memory/2640-6-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/2744-16-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/2744-29-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/2744-25-0x00000000033A0000-0x0000000003439000-memory.dmp

Filesize
612KB

Download
memory/2744-21-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download