urelas | ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/12/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Size

335KB
MD5

a382b347737bdb4bd2bf3ac26c34ba03
SHA1

0ba6c6f58880260c32eb733350f7634eb245890c
SHA256

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc
SHA512

390d29133ae5d769573875024024140790154290d0db373ca0181129886c332627f98e574d44500ba768848882b9fe90e7cc8732f448b9574ae642852dffe6b2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV9MC:vHW138/iXWlK885rKlGSekcj66ciE9MC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	rukuo.exe
1172	geugf.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
3052	rukuo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rukuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geugf.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe
1172	geugf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3052	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	30
PID 2532 wrote to memory of 3052	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	30
PID 2532 wrote to memory of 3052	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	30
PID 2532 wrote to memory of 3052	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	30
PID 2532 wrote to memory of 2696	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 2532 wrote to memory of 2696	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 2532 wrote to memory of 2696	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 2532 wrote to memory of 2696	2532	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 3052 wrote to memory of 1172	3052	rukuo.exe	34
PID 3052 wrote to memory of 1172	3052	rukuo.exe	34
PID 3052 wrote to memory of 1172	3052	rukuo.exe	34
PID 3052 wrote to memory of 1172	3052	rukuo.exe	34

C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
"C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\rukuo.exe
  "C:\Users\Admin\AppData\Local\Temp\rukuo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\geugf.exe
    "C:\Users\Admin\AppData\Local\Temp\geugf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2327ead2b68b0439df68905a99174378

SHA1
04ebca76b854ae1a856e304d4ec9486322779513

SHA256
7fe90d95840f59e20765937b8c0f56231ec0e3582bf3c4e53fff1ff527b6f3d7

SHA512
2e9f26a14e31b968995305e6464afe2625679b99e3aeb28dd1b218a2630e78b9c9e6ab32bd597a17ad55cda4cd24701e2c3a7ccbf48cd0b26fe4e75c439ce6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bfed450c841046bb771eec2eb60e3667

SHA1
df1cefa4c7257300ffeb6d2c1b428e6a62e649a7

SHA256
c90b8fda394530ca359d274dc00b7148c218eb75a978bc68be27310b3fb67776

SHA512
743edb76dc92d38933a0d8f6ab89b8b1b5167dfc6de3c05110294583113a662564a6bd3e9a8f1f7020a44df8570a0f7a0e73f6b7057f0545f8170dc033e3248b

Download Submit
\Users\Admin\AppData\Local\Temp\geugf.exe

Filesize
172KB

MD5
f6149045717b9bf4956b4a4f096dfa2a

SHA1
a38d75cd63cf442ff26663298093821000382688

SHA256
e76055342fda2482fcd7783a0e847c8641d70b9e001fd485d6e90c951e1b124c

SHA512
f7da3941e2c31aec72c93b306291d38647b40d8f464a29d677cb0ef8218e62c7645f00b73c52d31d2c6c7b54a9bc2baffcb2a6b24f2ee3adfdd1fe1010b62ded

Download Submit
\Users\Admin\AppData\Local\Temp\rukuo.exe

Filesize
335KB

MD5
98706ab69f861a3a7e64cf406c3306a8

SHA1
c1f485a40e6081769aa66900b291221eb6826643

SHA256
9bd48bfd07c7ae3cf7b3e0d1de5ffbd6f72e62957d87b59387bf192644cce145

SHA512
e60412e5d4b35df1991af57503d526e57a9996e26d4cc8e9714a04573eab3b708d202bc6fd983bb4e45a495f72b4144772b98e1ce4b5161d1c0fd5be4088d8cc

Download Submit
memory/1172-50-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/1172-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/1172-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/1172-44-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/1172-41-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/1172-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/1172-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2532-20-0x0000000000D40000-0x0000000000DC1000-memory.dmp

Filesize
516KB

Download
memory/2532-0-0x0000000000D40000-0x0000000000DC1000-memory.dmp

Filesize
516KB

Download
memory/2532-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-23-0x0000000001240000-0x00000000012C1000-memory.dmp

Filesize
516KB

Download
memory/3052-38-0x0000000001240000-0x00000000012C1000-memory.dmp

Filesize
516KB

Download
memory/3052-39-0x0000000004090000-0x0000000004129000-memory.dmp

Filesize
612KB

Download
memory/3052-10-0x0000000001240000-0x00000000012C1000-memory.dmp

Filesize
516KB

Download
memory/3052-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download