urelas | 6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 23:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe
Size

325KB
MD5

8c22231613461259dc67f7aea500144c
SHA1

c563e472e04ae768e99a0c015621548838f0df82
SHA256

6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d
SHA512

e9c0a188a1a47406b4622d8f7fed515e0d906f87f001417702d6f8db0445b0714bb32d2d7f4094ec2ef50cc0c4e4556599e7f8422045e593d5a84df9792ecea2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66cih

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	evwyb.exe
2848	vihib.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe
2824	evwyb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vihib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evwyb.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe
2848	vihib.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2824	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	30
PID 2720 wrote to memory of 2824	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	30
PID 2720 wrote to memory of 2824	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	30
PID 2720 wrote to memory of 2824	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	30
PID 2720 wrote to memory of 2744	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	31
PID 2720 wrote to memory of 2744	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	31
PID 2720 wrote to memory of 2744	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	31
PID 2720 wrote to memory of 2744	2720	6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe	31
PID 2824 wrote to memory of 2848	2824	evwyb.exe	34
PID 2824 wrote to memory of 2848	2824	evwyb.exe	34
PID 2824 wrote to memory of 2848	2824	evwyb.exe	34
PID 2824 wrote to memory of 2848	2824	evwyb.exe	34

C:\Users\Admin\AppData\Local\Temp\6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe
"C:\Users\Admin\AppData\Local\Temp\6c7760f29cf975c00fea7f7613b9e1f56ec5be3f13efe45492b619c18da5de0d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\evwyb.exe
  "C:\Users\Admin\AppData\Local\Temp\evwyb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\vihib.exe
    "C:\Users\Admin\AppData\Local\Temp\vihib.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
330b2103dfbb4e89d7df0eb10d51247f

SHA1
de3751214fdae96be863e7e253131f24a08c7cc4

SHA256
77b8a5982caf828088abf9fc052e1cbdd1c79cb9cd7bb9ed66c5523f176dfe7d

SHA512
a9f6e84a532e08fb45b6322b4277f3548e2e6e5429b8343dc4a7587deeb0978c6f3a651a50952258c4177ab76aa1af914fe2276736d701fa4c10bf2464db0c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\evwyb.exe

Filesize
325KB

MD5
55678b3869ffebee6f39a08b3aac62e7

SHA1
5348e53fb414fae95b2b4ffe3601a42f736a6974

SHA256
204c58cc6bfc0cf5d9648b64cfdd1f0b543989e6e4e91852fb9b036d23c5e65a

SHA512
22fe3ab1eb84a3074e2094294b74a573f7e5720f07be17804f1997b48ed30a9934a5f6e79e38d8eb81edeac55ecb354810664e3456ac13bd8d64926b375284f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
95b61a77d314b0ea8378f8c7841edff9

SHA1
e02b0bd835e1621bf2a8ce3f52babc7a2ccbdcf8

SHA256
476257bc6df04484b836455772b902ebf689932efd9f99b2fbc4dbcb83d0eff8

SHA512
cca359eec3580159f40af1f7ff7d0436320343cbebaf3fd259f29a992397863055985fef6a2e4c9b13d144bcf96e5841bf1e62b41de0e629772d0c52bc864b59

Download Submit
\Users\Admin\AppData\Local\Temp\evwyb.exe

Filesize
325KB

MD5
42d65054885a905e0ea8da20d6d64c7e

SHA1
3defe9cd6f101b1a712361f56cba842417318b9c

SHA256
1a3218ace556646c758c35a7a8b42a2d487a7493ca35ec2ea5305e718474a52a

SHA512
94e4d4fd69c8c25e178479354c536e2020f834b1729f76efcdf8ea19d1e96a26b729dd70075102c810ddecea5583bd20ed90b04ba13da7be682bbd3ebf0805a8

Download Submit
\Users\Admin\AppData\Local\Temp\vihib.exe

Filesize
172KB

MD5
0c14e42714cf0bc82c43a930423b8485

SHA1
b2fe9d9d74c645a5747827bce904bedf9243e1de

SHA256
c93cfefb00d7b26db642a55826a0ab51096c77fae2fab27f34c95a7982cb25b6

SHA512
2716a23ec8b05d0a5ef6891b12e68c2317aab83119e83ea8d860e80b7d47092f20ed5e57ed8af1d7c0c1860b22a3c6ac1c3c7001e6eb48ee32a06d589d7045ab

Download Submit
memory/2720-8-0x0000000002180000-0x0000000002201000-memory.dmp

Filesize
516KB

Download
memory/2720-0-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/2720-21-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/2720-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2824-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2824-18-0x0000000001120000-0x00000000011A1000-memory.dmp

Filesize
516KB

Download
memory/2824-40-0x0000000003800000-0x0000000003899000-memory.dmp

Filesize
612KB

Download
memory/2824-39-0x0000000001120000-0x00000000011A1000-memory.dmp

Filesize
516KB

Download
memory/2824-24-0x0000000001120000-0x00000000011A1000-memory.dmp

Filesize
516KB

Download
memory/2848-45-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/2848-42-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/2848-48-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/2848-49-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/2848-50-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/2848-51-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/2848-52-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download