urelas | 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Size

337KB
MD5

e6b76480839da7c11075198a296521db
SHA1

16ea461d8ccd09bda7f9535d24448bc46d897425
SHA256

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60
SHA512

3f0a99d13b9a77f0570f45c9be72c0e52ae34101de65924ee6091e2df8238c1e9e433453569b17ed8caa142fb603c3c163574a9f19063b0793a56665dc4fc440
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKCM:vHW138/iXWlK885rKlGSekcj66ciZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	gyotn.exe
2440	tikoj.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
2352	gyotn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyotn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tikoj.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe
2440	tikoj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2352	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	30
PID 2428 wrote to memory of 2352	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	30
PID 2428 wrote to memory of 2352	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	30
PID 2428 wrote to memory of 2352	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	30
PID 2428 wrote to memory of 3028	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2428 wrote to memory of 3028	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2428 wrote to memory of 3028	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2428 wrote to memory of 3028	2428	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2352 wrote to memory of 2440	2352	gyotn.exe	34
PID 2352 wrote to memory of 2440	2352	gyotn.exe	34
PID 2352 wrote to memory of 2440	2352	gyotn.exe	34
PID 2352 wrote to memory of 2440	2352	gyotn.exe	34

C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
"C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\gyotn.exe
  "C:\Users\Admin\AppData\Local\Temp\gyotn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\tikoj.exe
    "C:\Users\Admin\AppData\Local\Temp\tikoj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a0c488d232db3ca63d36e74b97204d55

SHA1
208d0c1a9151a12e595a11e8619232e6cd127acb

SHA256
11b4793224a20e7bd0c38fc6fb7fb81bbe7aee3223dc73ba80bcddd263054c05

SHA512
73a0f5565c767226837add0668e88825f0cc18b90859b32225eb5e5da5d93002c8a8cda5a01c07d8539e205e9ce393deb745a99c5e207409b88aeac4327721d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e6b97663bc0c4a30dc828a18a89646f9

SHA1
3109b6b9712cc8a5a198518980a9979e6f34497f

SHA256
a980300d6019a4cef777811afd42e50c5374a64454760f412ca7aec6216f1f3d

SHA512
68cf60983aeeb4db38a01157b7c507a1efd5da0f20f42b4373b5acfc635e0a740cf6adcda99c5f774039f6b327ef5c3039c9d1e332bd4038fc6ab49dcb2d9198

Download Submit
C:\Users\Admin\AppData\Local\Temp\tikoj.exe

Filesize
172KB

MD5
83e6619389f018728d06898a1c34fbfb

SHA1
140a891a30daf68c1847cd88af3865cfac98d90d

SHA256
4b50a8ca8dd253e8dcf06977700614bda332504f96cb646c72ca15d8e498e9ab

SHA512
5639ce727cca60cbb443c2820cbc038ed4cb56a2a6be6739357c18b4ea337a7b4779ef0470b769fa8c1f486dba1aa2d05b14a61b3b43a9fa2407c74a74333b55

Download Submit
\Users\Admin\AppData\Local\Temp\gyotn.exe

Filesize
337KB

MD5
ff69ac43cf8186cb1db5c9b8d70128d4

SHA1
8c3a01b91a21fe2d7bcb4b95567c15c9add31624

SHA256
4d329f9d221388014426ea93e51115f004db2f2c4561cc7b377b4ec8ddc86e9a

SHA512
b45dfffbaa57080f0e146fe6b6d13ac1ec17839378d7740db26dafc6e5f0cce54d22799f76ef88dc61c4d836d35465de53ba3553959809d8d9aae85cab6f5b5d

Download Submit
memory/2352-24-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2352-42-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2352-18-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2352-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2352-39-0x00000000035A0000-0x0000000003639000-memory.dmp

Filesize
612KB

Download
memory/2352-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2428-20-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/2428-9-0x0000000002840000-0x00000000028C1000-memory.dmp

Filesize
516KB

Download
memory/2428-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2428-0-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/2440-46-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2440-43-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2440-48-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2440-49-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2440-50-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2440-51-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2440-52-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download