urelas | 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Size

438KB
MD5

b40e208afec48c1c8d1e41e87d015453
SHA1

56fedd2c3fa4b49bd550ef362180e8d7a26b334f
SHA256

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09
SHA512

f104219b752306fe690607f2d123dd2d1604d6b36257eaebe58696bbd2beb2454b32b20c7779ce2a24af083ec2cc1744fe3e53323448430e39d88be9ffed0316
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMM2:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2480	qykic.exe
2876	welyl.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
2480	qykic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qykic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	welyl.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe
2876	welyl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2480	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 2504 wrote to memory of 2480	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 2504 wrote to memory of 2480	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 2504 wrote to memory of 2480	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 2504 wrote to memory of 2720	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	32
PID 2504 wrote to memory of 2720	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	32
PID 2504 wrote to memory of 2720	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	32
PID 2504 wrote to memory of 2720	2504	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	32
PID 2480 wrote to memory of 2876	2480	qykic.exe	34
PID 2480 wrote to memory of 2876	2480	qykic.exe	34
PID 2480 wrote to memory of 2876	2480	qykic.exe	34
PID 2480 wrote to memory of 2876	2480	qykic.exe	34

C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
"C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\qykic.exe
  "C:\Users\Admin\AppData\Local\Temp\qykic.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\welyl.exe
    "C:\Users\Admin\AppData\Local\Temp\welyl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
18cf1d671fe761828e90f702d62429ba

SHA1
e2bde96e97376e360e63107ca7c97bae293545ca

SHA256
a84a755ffdbdaa156ddb7f8143e74d3f64e00de1c01cd0382c38a9b6eae0ad77

SHA512
42a26336d3c0c1184ad03c2987e18f331205a5df82babfbe4d13fa198066ca4bc8ee26543e3963878cb95a59191d8c477a3a975e0c8ea0cb2b31b24fa1202282

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5ebc4eaef68c33b55e90d7a961bc7765

SHA1
7d6753a015a0dad0305ad6a92d2742f2a4d94132

SHA256
6c920b4af9ec01a47a4fcd93969fcf1acc8b735f2ec0a1b35c934cb85c33b13d

SHA512
4561f13429bb04a63db74c60dc1b1d455cd036f54b44c00163f1e05755e3bacf283016a9b4152de07eeedb092f56fca0b7bffbf1f3cc82c0d26d2254937ecf4e

Download Submit
\Users\Admin\AppData\Local\Temp\qykic.exe

Filesize
438KB

MD5
adff480c42bb68cfe0e42494af2d4805

SHA1
96455d7bed931398830b52b1b43c504e72745ea2

SHA256
c1853dc00aef2d50be429f9a7b96c339e62620c3262e64f7707675c9064e39ba

SHA512
eab4600163a971080cf28c3ee1434131ee382e41aab607269fc0bfc1e7fb6a4e4ff9a74a8686a1d0db1cd5db5d768f5b878c2c64f8a9af54db0235b690d5ffdb

Download Submit
\Users\Admin\AppData\Local\Temp\welyl.exe

Filesize
230KB

MD5
b8aa367b0274a58d9bcd3d6f8a31f671

SHA1
1b13ff8f92e1a273f736b9c79b07b2cbf92c29f5

SHA256
9972d7028c5d81347e71ab116046acc81583d0ebc56d1a4a07ef3c4dbbe9369e

SHA512
a793138129898f7e12de055c94eca296f554d5653113b8f455f00fa4e72a70986a9ee1729ec5c97f50d4934be5fae8556ae17af4f3f592291efcf31283caa3de

Download Submit
memory/2480-28-0x0000000000A20000-0x0000000000A8E000-memory.dmp

Filesize
440KB

Download
memory/2480-21-0x0000000000A20000-0x0000000000A8E000-memory.dmp

Filesize
440KB

Download
memory/2480-27-0x00000000030F0000-0x000000000318E000-memory.dmp

Filesize
632KB

Download
memory/2480-10-0x0000000000A20000-0x0000000000A8E000-memory.dmp

Filesize
440KB

Download
memory/2504-18-0x0000000000C40000-0x0000000000CAE000-memory.dmp

Filesize
440KB

Download
memory/2504-6-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

Filesize
440KB

Download
memory/2504-0-0x0000000000C40000-0x0000000000CAE000-memory.dmp

Filesize
440KB

Download
memory/2876-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2876-30-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/2876-34-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2876-33-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/2876-35-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/2876-36-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/2876-37-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/2876-38-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download