urelas | 6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe
Size

336KB
MD5

02c93b7e5787309e5449f494b60ff083
SHA1

6facdc23d4875cbfc5d61a615685a1704a05452a
SHA256

6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e
SHA512

a2a17cab1d187187a1568738db0dc9c534c3869a611298f207a58dc12f122ff4ce7e00f188e6af2612b7aa08172c3cd50dfc6e8463f203b10c035a79e35f8d6a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKo3:vHW138/iXWlK885rKlGSekcj66ci6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2392	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1608	ekxye.exe
3000	favek.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe
1608	ekxye.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekxye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	favek.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe
3000	favek.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1608	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	28
PID 1636 wrote to memory of 1608	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	28
PID 1636 wrote to memory of 1608	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	28
PID 1636 wrote to memory of 1608	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	28
PID 1636 wrote to memory of 2392	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	29
PID 1636 wrote to memory of 2392	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	29
PID 1636 wrote to memory of 2392	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	29
PID 1636 wrote to memory of 2392	1636	6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe	29
PID 1608 wrote to memory of 3000	1608	ekxye.exe	33
PID 1608 wrote to memory of 3000	1608	ekxye.exe	33
PID 1608 wrote to memory of 3000	1608	ekxye.exe	33
PID 1608 wrote to memory of 3000	1608	ekxye.exe	33

C:\Users\Admin\AppData\Local\Temp\6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe
"C:\Users\Admin\AppData\Local\Temp\6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\ekxye.exe
  "C:\Users\Admin\AppData\Local\Temp\ekxye.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\favek.exe
    "C:\Users\Admin\AppData\Local\Temp\favek.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
63e5603d82f6641aa23a0cf86630138c

SHA1
3c86eb01841decf6c6d607c7adc5e0b90d43a588

SHA256
c20ffdc0bf5230c7a8774a274441987790d0e695da9eef48e51d1d667059b464

SHA512
76f2acf6d292c3144f0a26e2392ec740e9b8c1782f9120a6d981f61c1e5274cb1179517af31ccd68d2cec956cb487bd3852e80ba3b5aea108fe97f75fd4c9610

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a112ec937b0c380c1af25e274beee677

SHA1
7b2e9fd66d300a096faee9aef713f2ba29843873

SHA256
16bd4222cd862343af5ea7b8b377f9ac58ab8d76ab95e79cee617ac1e9195629

SHA512
9c60ddab544a6d9546295ed8e8556a10b062fb91e1dc77106a78f6e02e134cc32d763932c71e3d31969cba1d7c91e2634d9df6b54d99c92dbe6cd14e476eeb58

Download Submit
\Users\Admin\AppData\Local\Temp\ekxye.exe

Filesize
336KB

MD5
505deacdd5461129c2ed61212aea81d1

SHA1
627fe8b8f1c01a993524c9c3b5ea24db517de278

SHA256
279590ec060026db357f1fdb0fa2fb6b6ff5e1c051ab10db1661f40e3609b618

SHA512
fda1f5de675067fc6ec8300ab73ed9b32b009965f847650e87b06c7e9007a54accc6e5f823cf78f2d604e52a6b5639527d8a762c639c62d9feb9e28e08121b5e

Download Submit
\Users\Admin\AppData\Local\Temp\favek.exe

Filesize
172KB

MD5
dc83d80eb20d4f869d44a1c255b391be

SHA1
f7655aa69b389e4020be71fc1dc8a0fa39f02686

SHA256
2eb3d753eed71aada3dd412946e41f865b2097c51f80c00f27fb564bcdea561e

SHA512
f305258e1ea2ae9a36de7f387a6e13fa9c5f6d5245e07b1da4aa4e76171a290f6450146c4a0a234d9da3b98935963370eb0cca617726d2113442f5eecaf158ef

Download Submit
memory/1608-23-0x00000000000C0000-0x0000000000141000-memory.dmp

Filesize
516KB

Download
memory/1608-41-0x00000000000C0000-0x0000000000141000-memory.dmp

Filesize
516KB

Download
memory/1608-37-0x0000000003380000-0x0000000003419000-memory.dmp

Filesize
612KB

Download
memory/1608-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1608-18-0x00000000000C0000-0x0000000000141000-memory.dmp

Filesize
516KB

Download
memory/1636-19-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/1636-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1636-9-0x0000000001FB0000-0x0000000002031000-memory.dmp

Filesize
516KB

Download
memory/1636-0-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/3000-42-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3000-40-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3000-46-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3000-47-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3000-48-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3000-49-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3000-50-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download