urelas | 0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Size

446KB
MD5

019dd5686e62593b1a205d4d1a4b85d0
SHA1

2e9ecbe2eb2d55692a299be7f155117284f077de
SHA256

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a
SHA512

c083b7175daca3d47ca5e6b723de9178367be5dc1cd6a49f2509649e245a73ff83ca05e52626c0971dda3bd1c176d2182c40b1a884c1963bf9b20e77c3e43460
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoG:PMpASIcWYx2U6hAJQnS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2600	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

opxyh.exebybico.exehegae.exe

pid	Process
2608	opxyh.exe
332	bybico.exe
1604	hegae.exe

Loads dropped DLL 3 IoCs

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeopxyh.exebybico.exe

pid	Process
1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
2608	opxyh.exe
332	bybico.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exehegae.exe0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeopxyh.exebybico.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hegae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opxyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bybico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

hegae.exe

pid	Process
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe
1604	hegae.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeopxyh.exebybico.exe

description	pid	Process	procid_target
PID 1712 wrote to memory of 2608	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 1712 wrote to memory of 2608	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 1712 wrote to memory of 2608	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 1712 wrote to memory of 2608	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 1712 wrote to memory of 2600	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 1712 wrote to memory of 2600	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 1712 wrote to memory of 2600	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 1712 wrote to memory of 2600	1712	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 2608 wrote to memory of 332	2608	opxyh.exe	33
PID 2608 wrote to memory of 332	2608	opxyh.exe	33
PID 2608 wrote to memory of 332	2608	opxyh.exe	33
PID 2608 wrote to memory of 332	2608	opxyh.exe	33
PID 332 wrote to memory of 1604	332	bybico.exe	35
PID 332 wrote to memory of 1604	332	bybico.exe	35
PID 332 wrote to memory of 1604	332	bybico.exe	35
PID 332 wrote to memory of 1604	332	bybico.exe	35
PID 332 wrote to memory of 592	332	bybico.exe	36
PID 332 wrote to memory of 592	332	bybico.exe	36
PID 332 wrote to memory of 592	332	bybico.exe	36
PID 332 wrote to memory of 592	332	bybico.exe	36

C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
"C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\opxyh.exe
  "C:\Users\Admin\AppData\Local\Temp\opxyh.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\bybico.exe
    "C:\Users\Admin\AppData\Local\Temp\bybico.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Users\Admin\AppData\Local\Temp\hegae.exe
      "C:\Users\Admin\AppData\Local\Temp\hegae.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
8793e8e433434c5cee43ad475aa4d66c

SHA1
d351f2ad621f15703700f01be489c6557b2cb6cd

SHA256
9fe8bc2c5103c12e5bf4e54e427889bd1f8f00c98482a455c474829d13300e58

SHA512
528537bc19535f822498b561840c4b81524101b2656c6b0eab4e83e36841f99e20d8d54fe7923f3b7e48e007e062b01a2cd4fc2ff93354e26597f061a1e971d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
77bf596146b469ee8696be11ee7d4f30

SHA1
7dcbbfb6520cc97defd1cee20baaa32c21828345

SHA256
0afa7d549e09b71ca0dc3e23dbdee4773b20177e00a051523221681a1be99553

SHA512
945b3b1898ab09504fd2f138fba1e56013f5e26d6f46b4d410b5621bfc65fa5e5b93bddd6075cfe27680a15b428dca9674239ade75fa8361cd81612c3074100c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bybico.exe

Filesize
446KB

MD5
0885fbdbdc0cc8d7479473a13eb144ef

SHA1
b24c3a895297feef4876eb90595514276bf1ac9e

SHA256
0a49f6726331aa983c5fa49c0a33977ed7b2c4296c75cf139756da8d2f95a856

SHA512
b515b0e66b1d406f6e5df2ec2a4910eb1549870349c71066e580bacb345e67786a033c991c535420791bc01beb2b2e3bcfb06b3e6999bdcfadd1ee1c37ea12af

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3750b1cfa5f004427930312b42cbb3f9

SHA1
71330e4208a3de8c251310cbdcc2dbf619d0783e

SHA256
c6e24af8c7cacab9097ca000cf71af8357fcc593e6506b2bd7397db414d67b87

SHA512
d47b96af448db926711d74f10155febf99ad8d1e7d10dca2281f87e175af73a48aee2e4437c7fb5bfdd019ca835f6b6d07623c6ad24e193e200e92dfee4be82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opxyh.exe

Filesize
446KB

MD5
f016dd5e44381cb2d3cce913ef40c81c

SHA1
460f4c357225305a8169a9722ab733253a79b985

SHA256
b583d6738bcc9ef6182f73bd22dff6d8e537e376481ae33eb4a240a06e470e5f

SHA512
4a48d1e86f4b287436d4e291fb6596eea5230e6de3389e8e8d50b9b629a0af15e9f9b06f16e78c1b745c47ce1dea259e850552c767a90352a76150d1dfbc2a22

Download Submit
\Users\Admin\AppData\Local\Temp\hegae.exe

Filesize
223KB

MD5
404e39fefa3f98871f5317cafb2ebb70

SHA1
26e6c450733f17834ffad76c510515f61dceb876

SHA256
f26a5d9750cca9acee30498dd08068c9104a09f0c299765fd6bb6fa1e1739d75

SHA512
b449adad45ec856f7472e85670e0f447b13c6a5138f78f97a267e487e5cb0dd85ec4587e2c5ace2fa2aac66df5cf8d3a6e84a1252658183f007044737c5e8a92

Download Submit
memory/332-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/332-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/332-36-0x0000000003510000-0x00000000035B0000-memory.dmp

Filesize
640KB

Download
memory/332-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1604-51-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/1604-49-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/1604-50-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/1604-52-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/1604-53-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/1604-54-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/1712-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1712-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2608-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2608-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download