urelas | bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9

Resubmissions

26-01-2025 03:48

250126-ec5anasnaj 10

26-01-2025 03:44

250126-eal2as1jdz 10

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe
Size

505KB
MD5

e8c2d1a78d3f6c19c06a82c8fa661946
SHA1

3dac0a7c3a8b17bb26283fe5e0f1f2547dc161c9
SHA256

bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9
SHA512

f572a0740c2c823c3768fe89beebba122ecee8f6c036395908a7b37c2b64885ae1bcc8914e66b3eb97763a779463b3797d12d75eb1f9cfbb3cd6b2d4c8ee7ab9
SSDEEP

12288:N/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFO:N/D0caF8wvhb43pDbO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	numib.exe
2024	wuuqo.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe
2776	numib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuuqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	numib.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe
2024	wuuqo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2776	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	30
PID 2156 wrote to memory of 2776	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	30
PID 2156 wrote to memory of 2776	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	30
PID 2156 wrote to memory of 2776	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	30
PID 2156 wrote to memory of 2784	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	31
PID 2156 wrote to memory of 2784	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	31
PID 2156 wrote to memory of 2784	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	31
PID 2156 wrote to memory of 2784	2156	bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe	31
PID 2776 wrote to memory of 2024	2776	numib.exe	34
PID 2776 wrote to memory of 2024	2776	numib.exe	34
PID 2776 wrote to memory of 2024	2776	numib.exe	34
PID 2776 wrote to memory of 2024	2776	numib.exe	34

C:\Users\Admin\AppData\Local\Temp\bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe
"C:\Users\Admin\AppData\Local\Temp\bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\numib.exe
  "C:\Users\Admin\AppData\Local\Temp\numib.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\wuuqo.exe
    "C:\Users\Admin\AppData\Local\Temp\wuuqo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
470456365dbdf08d67a707931b70b423

SHA1
c1568446d3a6daf6e08ba343e1111b6f8cbd83d8

SHA256
f0596ed299657ca0cc56dec4c2a6b056517a5697264f6fb5ae0f2df1f4995610

SHA512
eef7c083f488e0161fef9dcd2dbd36821fa29c62407b0a2ceef20beef94dcf00969070314c9118237871075d0b60f43368795402236eb96c48cf3085489dca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dc2548fc09179f8fbd27ac54080d19ff

SHA1
202df25bdcaac18779d5da7e547d09fc99775358

SHA256
5a106187e5c7b8e3a83a5d7a173de69896c77f985bd6b6d726a6d46790f10470

SHA512
d08e5a42d27b9de005474480394dd0a141ddeaa38d08b9d8bf7a62b0849d1c028db1a8e7276ca4e7b77b2ea299daab13a7ebd71cfd77c7029521b425cfd1ed3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuuqo.exe

Filesize
218KB

MD5
17e51e468276c5db05bdddcab6d5a88c

SHA1
a0ef90f24e12de4e6a36536e7e31d6ede14078b6

SHA256
4ada9d7624b398e653c024d23c92c2158acac9b841cac4280416b3949c3a8591

SHA512
f3c1ab1f6a8302980df3b849341a881e1bea9f7a1a56cc527aa5e745ecdd30ad402c496576c67a92c03fb6bf28b8b9cb7849790605acc6cc946d922689c1d3be

Download Submit
\Users\Admin\AppData\Local\Temp\numib.exe

Filesize
505KB

MD5
87c0d3e805b38c6eadec5cf1ea028dae

SHA1
e7a2fbe2dcaa88c15d4b2cb207b81ca7aa83bcb8

SHA256
7ba5cb90cf2258025dbb154b156f78100034a5f83078b00aea8bdb062a448f4e

SHA512
7ac5a67d9bc92989f3d69e321f6107e05d8420eef4b0156986495cee2c193a5e4dc982cb24d5ff23c44c1601a5bf3bf9a581777f9a5432921cefc997b331871c

Download Submit
memory/2024-30-0x0000000000CE0000-0x0000000000D9B000-memory.dmp

Filesize
748KB

Download
memory/2024-36-0x0000000000CE0000-0x0000000000D9B000-memory.dmp

Filesize
748KB

Download
memory/2024-35-0x0000000000CE0000-0x0000000000D9B000-memory.dmp

Filesize
748KB

Download
memory/2024-34-0x0000000000CE0000-0x0000000000D9B000-memory.dmp

Filesize
748KB

Download
memory/2024-33-0x0000000000CE0000-0x0000000000D9B000-memory.dmp

Filesize
748KB

Download
memory/2024-32-0x0000000000CE0000-0x0000000000D9B000-memory.dmp

Filesize
748KB

Download
memory/2156-8-0x00000000028F0000-0x0000000002976000-memory.dmp

Filesize
536KB

Download
memory/2156-18-0x00000000010C0000-0x0000000001146000-memory.dmp

Filesize
536KB

Download
memory/2156-0-0x00000000010C0000-0x0000000001146000-memory.dmp

Filesize
536KB

Download
memory/2776-29-0x00000000003D0000-0x0000000000456000-memory.dmp

Filesize
536KB

Download
memory/2776-27-0x00000000032D0000-0x000000000338B000-memory.dmp

Filesize
748KB

Download
memory/2776-21-0x00000000003D0000-0x0000000000456000-memory.dmp

Filesize
536KB

Download
memory/2776-16-0x00000000003D0000-0x0000000000456000-memory.dmp

Filesize
536KB

Download