urelas | 7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe
Size

336KB
MD5

7ec7de4e9a57cb8de75c702a35e702c6
SHA1

634f1f6c6db3418043a31b99f935e5443f3cef2d
SHA256

7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d
SHA512

386b747b5cbe93e99a2aeefff6bb47496d771da1c9998872ebbcf243cb9ffd604051860f2426d866f461af243fc2cd74c57a37b512307a800c1f5e121df0517a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoZ:vHW138/iXWlK885rKlGSekcj66ciU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2112	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	awudj.exe
2156	daquf.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe
2348	awudj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awudj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daquf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe
2156	daquf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2348	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	31
PID 2080 wrote to memory of 2348	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	31
PID 2080 wrote to memory of 2348	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	31
PID 2080 wrote to memory of 2348	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	31
PID 2080 wrote to memory of 2112	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	32
PID 2080 wrote to memory of 2112	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	32
PID 2080 wrote to memory of 2112	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	32
PID 2080 wrote to memory of 2112	2080	7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe	32
PID 2348 wrote to memory of 2156	2348	awudj.exe	35
PID 2348 wrote to memory of 2156	2348	awudj.exe	35
PID 2348 wrote to memory of 2156	2348	awudj.exe	35
PID 2348 wrote to memory of 2156	2348	awudj.exe	35

C:\Users\Admin\AppData\Local\Temp\7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe
"C:\Users\Admin\AppData\Local\Temp\7a59610bcc3e1c589ce52cd897f831edb773a663b45580caf0ecffc1ee83967d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\awudj.exe
  "C:\Users\Admin\AppData\Local\Temp\awudj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\daquf.exe
    "C:\Users\Admin\AppData\Local\Temp\daquf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
76b21c83e369dfef0ab0116626e485ab

SHA1
f116adf90458be7049152f11cf92aa70247f9103

SHA256
9ac2aaac2b1d662c0053c29e325149c94ba14a2fb6d9eccc6425e58aa47e4aea

SHA512
07de4f68cf5e12fbe5e74d18bc3668b5a91afe073846592308353e1a2b7c464055c896aa366ece0bf0097dbceea3c5ec2f21f56a9b25ab47337f912fb1a0f7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c821bf90b87871f5947d2eb5c2126f68

SHA1
364e915ceb518f90a5b5efcf6e7ee4c836e8f9e9

SHA256
8269e4db0c88d1f164b4841d6784b70fd639014db39c6d22a246db067d19f321

SHA512
96b105f755d1485c9f46b1efb774ad7200c54e4d0915371a2e2833b6ada107ae1253177d693341551ef217598f6147fce928a772c35df735ad1db6cdbf9e8170

Download Submit
\Users\Admin\AppData\Local\Temp\awudj.exe

Filesize
336KB

MD5
e22c52e3ef16640b0746e8e498156b71

SHA1
00af1422899baf2142ed3d992494e0b6bbe846f1

SHA256
5cae546a11264d6a2671715552ac846aac97fe4a8fbb73f61565fa752a6e1b25

SHA512
1e74eb31b768ce3ca2b13ed544ac4bd930346bfa547d7954e342f1f061446c49d6d90aeb0ecea4214bb8393594fea5b4a647a8be0e803733e0464fd50870d301

Download Submit
\Users\Admin\AppData\Local\Temp\daquf.exe

Filesize
172KB

MD5
824c4a9d2a75e00b0fe5c61dea47ba0e

SHA1
f7d164c60dd9b8b4ee9b321a719d668cec24fedf

SHA256
eaea9f65a8050edbb975688fc6df16d9bd8b30cff181146b5c656a6bb855df22

SHA512
9e740b480dfd3626b6c9b618e3a3d9042eb8e69482f185ac6601eb253dcfb8a915e21c5d1bf94a70187f6790192129d036ece4920dcf8c311fbbd0ee0d3ce5ea

Download Submit
memory/2080-9-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/2080-21-0x0000000000F10000-0x0000000000F91000-memory.dmp

Filesize
516KB

Download
memory/2080-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2080-0-0x0000000000F10000-0x0000000000F91000-memory.dmp

Filesize
516KB

Download
memory/2156-51-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/2156-52-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/2156-48-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/2156-50-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/2156-49-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/2156-46-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/2156-43-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/2348-25-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/2348-38-0x0000000003700000-0x0000000003799000-memory.dmp

Filesize
612KB

Download
memory/2348-42-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/2348-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2348-11-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/2348-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download