urelas | d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
Size

337KB
MD5

21fc82e8da85bd4559bf9463b21daa93
SHA1

8cccfd8370ab062a34ad417d7869bfaab1992104
SHA256

d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a
SHA512

cb908c8bd1bf7e40d23d704ad942f264f0ce10715cb90b57045b7ad4954373f93eeae4e33dc58312358ed5e5b3e26d1c1040e7e384f84adf2f3dd5e0c763c65f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKog3:vHW138/iXWlK885rKlGSekcj66ciT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2088	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	vumim.exe
1452	uzjom.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
2792	vumim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vumim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzjom.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe
1452	uzjom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2792	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	31
PID 2084 wrote to memory of 2792	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	31
PID 2084 wrote to memory of 2792	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	31
PID 2084 wrote to memory of 2792	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	31
PID 2084 wrote to memory of 2088	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	32
PID 2084 wrote to memory of 2088	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	32
PID 2084 wrote to memory of 2088	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	32
PID 2084 wrote to memory of 2088	2084	d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe	32
PID 2792 wrote to memory of 1452	2792	vumim.exe	35
PID 2792 wrote to memory of 1452	2792	vumim.exe	35
PID 2792 wrote to memory of 1452	2792	vumim.exe	35
PID 2792 wrote to memory of 1452	2792	vumim.exe	35

C:\Users\Admin\AppData\Local\Temp\d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe
"C:\Users\Admin\AppData\Local\Temp\d013d643c632acae42707dac647225d064bfa4036e908f4d01888ab91eae5b7a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\vumim.exe
  "C:\Users\Admin\AppData\Local\Temp\vumim.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\uzjom.exe
    "C:\Users\Admin\AppData\Local\Temp\uzjom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
e7e61a0f41fa47a08ecc1c01a21645c6

SHA1
faa399d6d1ce686f32c20fc6d42b52ab113ada96

SHA256
43c3026ec13d159889e3f7b0f1cb5b5ab6af294b0518dd6fb77dcc0ca11b154d

SHA512
1265ec182bb18e01356f71c0f8a164e6ba37d81b1b22874b83efc5c2e051eb1af037100441307ec2c93a6683f038d8755e93a93bd89501dc42c22416baab7d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
23705a9d2c612c2ab98f45325f9a2143

SHA1
59e98728d117394f51b62fca364ccd3c0035c512

SHA256
eb56aff137c85050e6b932cf3c206353d0cdc0905dec2333798485ba871d2240

SHA512
0d6f21addbf55421958d8fc2fdbff302d1f9592da92885708b2a1e3432f563fea5bff6fdafb50971b29076effa1218fec35f29656350f7f231921e914bc27461

Download Submit
\Users\Admin\AppData\Local\Temp\uzjom.exe

Filesize
172KB

MD5
99491c5a3a76f84cb187f643c060401c

SHA1
127b586c9f7220d4dcb34ef54bf74b7a79dd2a5d

SHA256
095d532cb7543ccbb5781850596d45d9c9d2ee02de20533009a2be8d477e900f

SHA512
bceb7b163034669c8aa2649b4450f5e0509189c4b908e98117a7f0f79487bf316e4e965a5238f4db61247df0ecdb9a051fd3a50746cc2626352276328e2d22b3

Download Submit
\Users\Admin\AppData\Local\Temp\vumim.exe

Filesize
337KB

MD5
933dbdb995fcd583e01e050af472e6c2

SHA1
9f12930d6703d43fb644f32976f85a147bf1411b

SHA256
9adce6b155e1797cea6ab7bce540738a3e3ed391475cbc6b8d53527f3bebde8f

SHA512
4691577e7bf9389aa1eb4d30be0928a2a8ad7b29df3ae79dcd9251a7b4dd6e8e4ffb89325aafbae9c14194d0d6e0463d2334e35fa8e6a3e946eb033b14f27c96

Download Submit
memory/1452-50-0x00000000011C0000-0x0000000001259000-memory.dmp

Filesize
612KB

Download
memory/1452-47-0x00000000011C0000-0x0000000001259000-memory.dmp

Filesize
612KB

Download
memory/1452-49-0x00000000011C0000-0x0000000001259000-memory.dmp

Filesize
612KB

Download
memory/1452-41-0x00000000011C0000-0x0000000001259000-memory.dmp

Filesize
612KB

Download
memory/1452-48-0x00000000011C0000-0x0000000001259000-memory.dmp

Filesize
612KB

Download
memory/1452-42-0x00000000011C0000-0x0000000001259000-memory.dmp

Filesize
612KB

Download
memory/1452-46-0x00000000011C0000-0x0000000001259000-memory.dmp

Filesize
612KB

Download
memory/2084-17-0x00000000009A0000-0x0000000000A21000-memory.dmp

Filesize
516KB

Download
memory/2084-21-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/2084-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2084-0-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/2792-18-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2792-40-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2792-24-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2792-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download