urelas | 7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
Size

332KB
MD5

13992396b49c6e96678bffe09a3b8cb0
SHA1

49a6b856d8be5ed9e7e5835545a640f559f5b114
SHA256

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192
SHA512

5f38620cf2f423eb73b2aa323ae82c7ca51903f9456f5a2994a5960db7ce5cbebe5c89de9c3f4285487ccb0b872b7724a42a4189da5240624418831458f61f30
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ciB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2896	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

coqoo.exeegver.exe

pid	Process
268	coqoo.exe
1712	egver.exe

Loads dropped DLL 2 IoCs

Processes:

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.execoqoo.exe

pid	Process
2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
268	coqoo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

egver.exe7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.execoqoo.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coqoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

egver.exe

pid	Process
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe
1712	egver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.execoqoo.exe

description	pid	Process	procid_target
PID 2084 wrote to memory of 268	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	28
PID 2084 wrote to memory of 268	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	28
PID 2084 wrote to memory of 268	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	28
PID 2084 wrote to memory of 268	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	28
PID 2084 wrote to memory of 2896	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	29
PID 2084 wrote to memory of 2896	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	29
PID 2084 wrote to memory of 2896	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	29
PID 2084 wrote to memory of 2896	2084	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	29
PID 268 wrote to memory of 1712	268	coqoo.exe	33
PID 268 wrote to memory of 1712	268	coqoo.exe	33
PID 268 wrote to memory of 1712	268	coqoo.exe	33
PID 268 wrote to memory of 1712	268	coqoo.exe	33

C:\Users\Admin\AppData\Local\Temp\7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
"C:\Users\Admin\AppData\Local\Temp\7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\coqoo.exe
  "C:\Users\Admin\AppData\Local\Temp\coqoo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\egver.exe
    "C:\Users\Admin\AppData\Local\Temp\egver.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
72cf3be34e2def38ded4e5de41ad1c36

SHA1
b05f8a4e1443014527616972c605afad11326bea

SHA256
8d17bab488d97db4cd55ffb3b62deb5eaed6dca58dfa797ba2c43bd734dbd725

SHA512
e5fb259d814a1b4bcbbc833a27e439c5346b9aa084758be38097e3a9abbeb0676bb11ca912b398633a43e11b34ec802b2c930d8f9f5eed30d1305b4131706da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8136c3a304e2d98e15dcec804f898fd7

SHA1
5021286c94e41834b104b51cc8f81c88b15fcc97

SHA256
7b7b4c3f64070ef67d30eaec3294783506e5fed85c4f4c416b2a6fcfc8c0b60e

SHA512
de63f83fc3d0737f978d9893203d2a559ce29ba90f09bf400771cfd04eddd7411349a44306b0f8b55f1620acfbb9d9119aed5ec05e836f7e508cfc31e2d1ddaf

Download Submit
\Users\Admin\AppData\Local\Temp\coqoo.exe

Filesize
332KB

MD5
bb0d4e7130ebf8d56d1d69d3247ec0ac

SHA1
cc804d74ae97a15f3aaadd53f49b337f71994df5

SHA256
047dff9812ad9e562305b65928f790f3d21c1dbdf3aab4ddb4620031cb5f19f9

SHA512
a890a5b361c308236d564a3242edfb973d906242f67460aaba45d6587fdda9b696ba1b910a4b1c5fde8f1a021788369003b01cd11f16b178453887bb08d3e042

Download Submit
\Users\Admin\AppData\Local\Temp\egver.exe

Filesize
172KB

MD5
8cf9610ab97b51fa5fd0c156d872818c

SHA1
a5286349bca9db99faf0f63c870ae5eb95b22cf3

SHA256
6c6235689969f3a895581a3f08b69c64aa111903d31e6b5e45225e132be33e3b

SHA512
c332086a7c8109ec2efdd6d1306dd623a83d4f0d08e3a417d314ee2ee51b150aefc9ed310c2825c91da63d8fa4602ad9aec5410f8c228f319a9c4f58b391c779

Download Submit
memory/268-24-0x0000000001220000-0x00000000012A1000-memory.dmp

Filesize
516KB

Download
memory/268-19-0x0000000001220000-0x00000000012A1000-memory.dmp

Filesize
516KB

Download
memory/268-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/268-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/268-37-0x00000000032B0000-0x0000000003349000-memory.dmp

Filesize
612KB

Download
memory/268-41-0x0000000001220000-0x00000000012A1000-memory.dmp

Filesize
516KB

Download
memory/1712-47-0x0000000000870000-0x0000000000909000-memory.dmp

Filesize
612KB

Download
memory/1712-50-0x0000000000870000-0x0000000000909000-memory.dmp

Filesize
612KB

Download
memory/1712-49-0x0000000000870000-0x0000000000909000-memory.dmp

Filesize
612KB

Download
memory/1712-48-0x0000000000870000-0x0000000000909000-memory.dmp

Filesize
612KB

Download
memory/1712-42-0x0000000000870000-0x0000000000909000-memory.dmp

Filesize
612KB

Download
memory/1712-46-0x0000000000870000-0x0000000000909000-memory.dmp

Filesize
612KB

Download
memory/2084-20-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/2084-0-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/2084-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2084-10-0x0000000002C70000-0x0000000002CF1000-memory.dmp

Filesize
516KB

Download