urelas | 4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
Size

356KB
MD5

89280f71892759a8b5d330cbed1a6b9c
SHA1

94fc6560599b5020fb558500a094394a5c85af8c
SHA256

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75
SHA512

fed9aaf4e187023a341fbb4e785105b436d6f5d6501fa31b2841c87f65b06c37260dff6608671316783ad8dad84e620e190b87e0bfa686a821ad178d0ec03118
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0h:MUyI6QmPPPqVsps

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2368	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

comyf.exeleqeja.execacid.exe

pid	Process
2988	comyf.exe
2776	leqeja.exe
1976	cacid.exe

Loads dropped DLL 5 IoCs

Processes:

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.execomyf.exeleqeja.exe

pid	Process
2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
2988	comyf.exe
2988	comyf.exe
2776	leqeja.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.execomyf.exeleqeja.execmd.execacid.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leqeja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

cacid.exe

pid	Process
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe
1976	cacid.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.execomyf.exeleqeja.exe

description	pid	Process	procid_target
PID 2384 wrote to memory of 2988	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	30
PID 2384 wrote to memory of 2988	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	30
PID 2384 wrote to memory of 2988	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	30
PID 2384 wrote to memory of 2988	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	30
PID 2384 wrote to memory of 2368	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2384 wrote to memory of 2368	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2384 wrote to memory of 2368	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2384 wrote to memory of 2368	2384	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	31
PID 2988 wrote to memory of 2776	2988	comyf.exe	33
PID 2988 wrote to memory of 2776	2988	comyf.exe	33
PID 2988 wrote to memory of 2776	2988	comyf.exe	33
PID 2988 wrote to memory of 2776	2988	comyf.exe	33
PID 2776 wrote to memory of 1976	2776	leqeja.exe	35
PID 2776 wrote to memory of 1976	2776	leqeja.exe	35
PID 2776 wrote to memory of 1976	2776	leqeja.exe	35
PID 2776 wrote to memory of 1976	2776	leqeja.exe	35
PID 2776 wrote to memory of 1228	2776	leqeja.exe	36
PID 2776 wrote to memory of 1228	2776	leqeja.exe	36
PID 2776 wrote to memory of 1228	2776	leqeja.exe	36
PID 2776 wrote to memory of 1228	2776	leqeja.exe	36

C:\Users\Admin\AppData\Local\Temp\4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
"C:\Users\Admin\AppData\Local\Temp\4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\comyf.exe
  "C:\Users\Admin\AppData\Local\Temp\comyf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\leqeja.exe
    "C:\Users\Admin\AppData\Local\Temp\leqeja.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\cacid.exe
      "C:\Users\Admin\AppData\Local\Temp\cacid.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7e92148f36719a42fddad8c14576c5fb

SHA1
dac6c4bfec8e4cf082c6687fe412a725ba33bd55

SHA256
679349d8f05301cd7c60d87afda856ab194b9ee3da0189e77636b5199a354598

SHA512
0dea49b42ece51ebcb6af84e5f130eb5d859879e55ad3dbf6da0ad61f7c15717cd9451bc758674082a044877a21bb502ee25879752a12b7eab25e86b67d4e82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
43b5e1b182ac03467b86aded3bc35ae7

SHA1
beab788562f4689e9f1d08089073326853990bfb

SHA256
d6f55602d33a59eff0bc28cad81fa87407e9e5c51c6fd707c9fb83e3df16f8fe

SHA512
25cc7e7c37877a841109d0b000808846696791d5af30e4909ab918f145b2b719b6de7388a7d893e211ffa635c62935311f3cea6628391abf3c71dbdfac428976

Download Submit
C:\Users\Admin\AppData\Local\Temp\comyf.exe

Filesize
356KB

MD5
ed756f5db1bed60738cf9abb1ea455ae

SHA1
1fd98cc008e72509bacac7ea4908746917103278

SHA256
0ea2e84314e80b609d9393e67cf42877feb2ac215f0006c77fe2f5319b81aa2a

SHA512
d9f875be765b4d764117c1fc54dbf5effa7eb7edd95d3e12496c78548fefcee4d1dc309a059c7e99e1a40f8a53fb2e712acd670306348f2e7efe47372ca94c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3fc24c59ad40eb2ca07e7bacfc9a0627

SHA1
e5c72aa16689e63b6511a10806ef337fbabc258a

SHA256
009c8ac944f92e77dfdcdaf25684dbadb86c1f4ab2dbc32c2a791ea50f10d219

SHA512
4858a2b0964a197a9e0503f00f2699337671faa4c9ffe30dc26d7582948ee03d57dda3774f461365b5ccec16f30aaea190998f7fbc7f6d825d472864d62b5306

Download Submit
\Users\Admin\AppData\Local\Temp\cacid.exe

Filesize
107KB

MD5
631f20080cd01c579b9eafc42457d30e

SHA1
4c40ff0225e62fa16d039e7fd21b4521800df156

SHA256
f45cbfc8d4352ef8eb0c4e78ede7ab95af34ccaa3bc7bac5019d6fdf767e73e4

SHA512
e2df55c74c16f88a1bcb5f95b1c5829b1285cac195f3650293c2be173c43839be640eb81801e1ae75685b52a8d2c02db64f45b404ce492bf036e0316fe72b5c7

Download Submit
memory/1976-57-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1976-62-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1976-61-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1976-53-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1976-60-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1976-59-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1976-58-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/2384-2-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-19-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-20-0x0000000002460000-0x00000000024B9000-memory.dmp

Filesize
356KB

Download
memory/2776-36-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-51-0x0000000003040000-0x00000000030C5000-memory.dmp

Filesize
532KB

Download
memory/2776-34-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2988-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2988-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download