urelas | 29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756

Analysis

max time kernel
150s
max time network
97s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe
Size

336KB
MD5

8b5d4040699ab941751630006a22ed61
SHA1

f57aff4ee41ad39e34df68f759c220a55e9bc1d1
SHA256

29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756
SHA512

a7e98068b11c42f6a54a24b315a4aa471b87f6cc402530953a0359cdf40d613467b26cf41952f83dcc8902d203b86542e0731c68e98dbc385d76fa0e90445e76
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcEg:vHW138/iXWlK885rKlGSekcj66cis

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2976	syqoq.exe
2916	kofyb.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe
2976	syqoq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syqoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kofyb.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe
2916	kofyb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2976	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	29
PID 2296 wrote to memory of 2976	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	29
PID 2296 wrote to memory of 2976	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	29
PID 2296 wrote to memory of 2976	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	29
PID 2296 wrote to memory of 2724	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	30
PID 2296 wrote to memory of 2724	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	30
PID 2296 wrote to memory of 2724	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	30
PID 2296 wrote to memory of 2724	2296	29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe	30
PID 2976 wrote to memory of 2916	2976	syqoq.exe	32
PID 2976 wrote to memory of 2916	2976	syqoq.exe	32
PID 2976 wrote to memory of 2916	2976	syqoq.exe	32
PID 2976 wrote to memory of 2916	2976	syqoq.exe	32

C:\Users\Admin\AppData\Local\Temp\29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe
"C:\Users\Admin\AppData\Local\Temp\29cf49ad638ecc9b68f666d9bb137ecca659c483b06592411e40056c82e7d756.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\syqoq.exe
  "C:\Users\Admin\AppData\Local\Temp\syqoq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\kofyb.exe
    "C:\Users\Admin\AppData\Local\Temp\kofyb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1ca259679dba34c0bc6fcc0e8956b50a

SHA1
33edd9704b1de5aafc58b9ab03618831295f6b1b

SHA256
69ab4a10e911bddc1732026c61bd7e57a3788caa67652aa4f99370615748f853

SHA512
d95aa70828ef4d43f84adddda82c1c428e576adc6a1c014a995731fd7f855971447435f1916c97ba5c0802e8d6377bbc19edaca84d22dcd8b3e27de09def1670

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4241eb0dbfab4cef63e29f359a94f097

SHA1
c9b89ca2c09783d8a149a9ed68d2e810a27f5427

SHA256
47c1f63d2faff19d8907d3a4076f6eb7228255436b0ac3074e898317544e083c

SHA512
69b4ce0565757999f64d18868e078440f71ebad1e8ef38ed46e021e93d9dd006a957022934425c90479288eecafd85fa6cf0cf032c284e62447cbd2e64d5dafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kofyb.exe

Filesize
172KB

MD5
8bc888ee7cf43aafd550f786fda52ac9

SHA1
0fd0a666b485a2561b22e2628e12ab18b8e930ce

SHA256
fabe842b63740c58424cbd6e1ca432bde38b73532d8519ad4bd9104e86d699e4

SHA512
85eed3887702151c571b318104f0fd23c7f9172b50513ab626eff32729256ea24334d4553ca9b441eb8f83dd5f847f92f7f7a7360a060436a6d09df20294f76d

Download Submit
\Users\Admin\AppData\Local\Temp\syqoq.exe

Filesize
336KB

MD5
78d5f3ee9702076a8dda9a03467f0116

SHA1
1b0bf5548d730d4c3ccc356f02ff35d5ad9879ea

SHA256
4bdd4edb33c0dde5b8cc02d45a37ebc14648b9a0e966883d98df2c1caf5255ee

SHA512
7334142e9a0c14f9d733c2a8b2dbf30b0d43bb3386dcea0a8363ffcc159dc82d383643aa3ad4ac132d980759fb8ecb72e0be52e094ce901e40598693317fa802

Download Submit
memory/2296-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2296-9-0x0000000002960000-0x00000000029E1000-memory.dmp

Filesize
516KB

Download
memory/2296-0-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2296-20-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2916-46-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2916-41-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2916-42-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2916-47-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2916-48-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2916-49-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2916-50-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2976-23-0x0000000000FF0000-0x0000000001071000-memory.dmp

Filesize
516KB

Download
memory/2976-11-0x0000000000FF0000-0x0000000001071000-memory.dmp

Filesize
516KB

Download
memory/2976-40-0x0000000003A30000-0x0000000003AC9000-memory.dmp

Filesize
612KB

Download
memory/2976-39-0x0000000000FF0000-0x0000000001071000-memory.dmp

Filesize
516KB

Download
memory/2976-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download