urelas | 006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe
Size

1.8MB
MD5

6e952f66a99b3f8233c1189928cd205e
SHA1

3cc0b1fa84154ae3a80d9e9a3f34f36f425e3262
SHA256

006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305
SHA512

7cddd48bef8374d417b5b3ce6201808e786d500ad3db9dd861d648f6f42aece62c95bcd57f7c9b73589757f861513d58074067c9e4326e1e2ef4d7d40636b263
SSDEEP

49152:dOPZY2eGXeurFnT0gmRK7oMqkKgb93Jy/ZtvUPtvh1cs28IgkA2Qhamoy:2NeGXeupnPmRK7o9kKgb930hCvh1f289

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2292	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2568	zikel.exe
692	achyy.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe
2568	zikel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zikel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	achyy.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe
692	achyy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	692	achyy.exe
Token: SeIncBasePriorityPrivilege	692	achyy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2568	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	31
PID 2064 wrote to memory of 2568	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	31
PID 2064 wrote to memory of 2568	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	31
PID 2064 wrote to memory of 2568	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	31
PID 2064 wrote to memory of 2292	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	32
PID 2064 wrote to memory of 2292	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	32
PID 2064 wrote to memory of 2292	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	32
PID 2064 wrote to memory of 2292	2064	006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe	32
PID 2568 wrote to memory of 692	2568	zikel.exe	34
PID 2568 wrote to memory of 692	2568	zikel.exe	34
PID 2568 wrote to memory of 692	2568	zikel.exe	34
PID 2568 wrote to memory of 692	2568	zikel.exe	34

C:\Users\Admin\AppData\Local\Temp\006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe
"C:\Users\Admin\AppData\Local\Temp\006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\zikel.exe
  "C:\Users\Admin\AppData\Local\Temp\zikel.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\achyy.exe
    "C:\Users\Admin\AppData\Local\Temp\achyy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
2b7d5984c42c418c3de8a2fbab7e0b77

SHA1
0b8b390aae7a42ae48f6807777fb119c288c68d0

SHA256
69ec452aa0a16f5a97633f84580d21f0195298a74f6e8827fc9c906bacd310ae

SHA512
d87db08ce3dfa05b59ffdd55580311b9ca1918dc36a28c9ac680c27bf59aecb1b620fe75e7c0ad2ad9d854b64df9ef412078a34d0de93686e8dd2c41ebc3cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e8b83ec799181c552263d4c4f56b03c4

SHA1
153ea8da691015d2294fbda241ec55b3ed9e7c9c

SHA256
a1855dd1ae7628ac9eeace7e9b9709e185f8efbfbf37d6f6455428d585460965

SHA512
927e91294199dde389e71c06bb4d1af6a5bf8374387c9206e26b4e7e5204ee4e9934b4932d401987d3ed61fe90658ee336154564fabd994a06bb465873f71a43

Download Submit
\Users\Admin\AppData\Local\Temp\achyy.exe

Filesize
301KB

MD5
7f7d1fea343a6953e9472b4789ba4de2

SHA1
1c5b0160c6b6ae57e51b6475d685a69e95e3a5dc

SHA256
1c7a4689a92b6fe7d45edaca30da423b7f3622a8f7b7922e0dcec98d19457c9a

SHA512
95f63a499d0eccd67b39b8393bd9118070f1c74e6fb14bfcc64cebfe0ca2f4cd946ade0f2bfb56c15b9cda8f983d73b361734e66f8947f3eecda68333dc837f9

Download Submit
\Users\Admin\AppData\Local\Temp\zikel.exe

Filesize
1.8MB

MD5
d3f671fa974948955874d6478f5af046

SHA1
8b8ca3810b6880f2ebb3eedd524ac4aaa3b80c61

SHA256
c132b3a9e3814cd43b7f6fd341f4616e1bab558b4cdb77853986a4cc02d5b6ef

SHA512
2095618b96f3125c9d34641535e007be66b7b76d81e10d06ae16060b471ec3b94441f3a5d63af0ee7317503cf2a839fe7217f2d8145a500d74068ec37eab0ceb

Download Submit
memory/692-29-0x0000000000B30000-0x0000000000BC4000-memory.dmp

Filesize
592KB

Download
memory/692-27-0x0000000000B30000-0x0000000000BC4000-memory.dmp

Filesize
592KB

Download
memory/692-31-0x0000000000B30000-0x0000000000BC4000-memory.dmp

Filesize
592KB

Download
memory/692-32-0x0000000000B30000-0x0000000000BC4000-memory.dmp

Filesize
592KB

Download
memory/692-33-0x0000000000B30000-0x0000000000BC4000-memory.dmp

Filesize
592KB

Download
memory/692-34-0x0000000000B30000-0x0000000000BC4000-memory.dmp

Filesize
592KB

Download
memory/692-35-0x0000000000B30000-0x0000000000BC4000-memory.dmp

Filesize
592KB

Download
memory/2064-0-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2568-24-0x00000000036B0000-0x0000000003744000-memory.dmp

Filesize
592KB

Download