urelas | a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Size

271KB
MD5

8dcf36dbac7541e903b39079c481783f
SHA1

4da3e2ba8433500f27405fa79d4c55a7331d4506
SHA256

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558
SHA512

7ee072cf3b38e8322584516e0909b4cc534f5ab6bcee68c364230b0dd7cbf586c83c319089f393936f5af0860f2e35e3b43f41c6e2709c31228896ab38fc2ec4
SSDEEP

6144:SPdhP7Vq2S8GYlH9LKeu5exdoW7KkYGuH6lY:uhPjSCKeu0oEYGTW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2332	guqij.exe
2660	lyibz.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
2332	guqij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guqij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyibz.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe
2660	lyibz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2332	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2364 wrote to memory of 2332	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2364 wrote to memory of 2332	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2364 wrote to memory of 2332	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2364 wrote to memory of 2888	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	32
PID 2364 wrote to memory of 2888	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	32
PID 2364 wrote to memory of 2888	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	32
PID 2364 wrote to memory of 2888	2364	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	32
PID 2332 wrote to memory of 2660	2332	guqij.exe	34
PID 2332 wrote to memory of 2660	2332	guqij.exe	34
PID 2332 wrote to memory of 2660	2332	guqij.exe	34
PID 2332 wrote to memory of 2660	2332	guqij.exe	34

C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
"C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\guqij.exe
  "C:\Users\Admin\AppData\Local\Temp\guqij.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\lyibz.exe
    "C:\Users\Admin\AppData\Local\Temp\lyibz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
708d4cab483a659dedbb37738fb4ea21

SHA1
dba1910f9df879daf0939d0bcf18ff430c8020af

SHA256
a918b58f9417c9b57405dc592be62246050dc940b8ddd8861510844b1f6a3d07

SHA512
6832aba9774eb549d59a9055888d403d1c15a2c9b6ab989f7040bc2e599732fc17f20f9b0481ad91ef612cebf64f45902a8352a4b3a7309bbe9565eac3ce1c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
24c92db0a2e35575941038b23f040aa7

SHA1
2f9ddd46aa54f569667746d790d25b7fc5970959

SHA256
24e2f47f743c0004bb4daf2a976c106a11013efa2b0d033b46178653434fdfa2

SHA512
57bf3ece765ad60d3bae9b51b31c946eca63b771c35ee165e03c8f6add847e29fdd297fe657c008f84f485fa6c69816ad29c3194d7d24440a0da30813117c7c5

Download Submit
\Users\Admin\AppData\Local\Temp\guqij.exe

Filesize
271KB

MD5
d92e51a645967327c2fa6b282f7fe76d

SHA1
f999b3e7ddfbaf9278e36457069743032321da1c

SHA256
ced82072976eefa9ecb75c46df479102962ed1a7d1e199cfb9c9e3c8d842b078

SHA512
1bd24b510608c28ed5f53e5e793c18a68e69ba758b18a36916a50d1ae8271bf7b27570bf03bb424efb67aa44dbe57b163b96ad4071eb11556ba90f69b7f2293a

Download Submit
\Users\Admin\AppData\Local\Temp\lyibz.exe

Filesize
291KB

MD5
c2f2a58deab850d3afc9fd01871ed023

SHA1
4afd97d106775528991e26663ec48e0e4349769d

SHA256
15792c5dbe05ff181b1ff7d0812a4ef3abcc7b09ce36eedbbb4e2066a9f47d26

SHA512
15eaabb028fdbc01c26389b4ca978b2de68536f39822ed7d8c3d2a5717c960eef932c38f340af9c793584cb59e8f6f88a46e8933dc2d4359de59abc77a91477b

Download Submit
memory/2332-24-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2332-17-0x0000000001040000-0x00000000010AE000-memory.dmp

Filesize
440KB

Download
memory/2332-18-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2332-25-0x0000000001040000-0x00000000010AE000-memory.dmp

Filesize
440KB

Download
memory/2332-41-0x0000000001040000-0x00000000010AE000-memory.dmp

Filesize
440KB

Download
memory/2364-21-0x00000000002B0000-0x000000000031E000-memory.dmp

Filesize
440KB

Download
memory/2364-7-0x00000000024C0000-0x000000000252E000-memory.dmp

Filesize
440KB

Download
memory/2364-0-0x00000000002B0000-0x000000000031E000-memory.dmp

Filesize
440KB

Download
memory/2364-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download