urelas | 896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
Size

332KB
MD5

53b4aad111dd092c1ed41cdacdff51ed
SHA1

529d031eda234ec9ed2c0cf252154544c054176c
SHA256

896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe
SHA512

c8436f4e032d23f0dc8dbc51a2c3e034fee3c40126dab94c0ee0791105ace7bd3ef3fea47b92d4452b860f251273c53412c13e0550b45ad3528838cad403751a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYf:vHW138/iXWlK885rKlGSekcj66ciS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2184	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2384	wasuh.exe
1892	hyzoz.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
2384	wasuh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wasuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyzoz.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe
1892	hyzoz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2384	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	30
PID 2304 wrote to memory of 2384	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	30
PID 2304 wrote to memory of 2384	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	30
PID 2304 wrote to memory of 2384	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	30
PID 2304 wrote to memory of 2184	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	31
PID 2304 wrote to memory of 2184	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	31
PID 2304 wrote to memory of 2184	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	31
PID 2304 wrote to memory of 2184	2304	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	31
PID 2384 wrote to memory of 1892	2384	wasuh.exe	34
PID 2384 wrote to memory of 1892	2384	wasuh.exe	34
PID 2384 wrote to memory of 1892	2384	wasuh.exe	34
PID 2384 wrote to memory of 1892	2384	wasuh.exe	34

C:\Users\Admin\AppData\Local\Temp\896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
"C:\Users\Admin\AppData\Local\Temp\896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\wasuh.exe
  "C:\Users\Admin\AppData\Local\Temp\wasuh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\hyzoz.exe
    "C:\Users\Admin\AppData\Local\Temp\hyzoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1b5679d98aa27ce59af39bee793ac5ba

SHA1
165d9906d3e10c631adf587bc205ee48a30181a7

SHA256
4ac71c1a8674ff3b59a7d181587199ed849a480c47b0d1035bed4995b361a9f4

SHA512
22cb254358f0b8511c9f630dcf1d96f4e56351c49f18a5350aeb467796efca839c281cb9073f17647f43030e656dc612210b3e802f1103cd54f3a11eb7afa50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5940444ce0d0b0eb8e2b66bb22fec470

SHA1
bf0a56048ad7588dc7c771afb05129e56a2b9ee8

SHA256
f48fb6ceb3108c93cf427b51772fd99c5cb95e63f7d7334720460f3ed1f511e5

SHA512
5fa81f806281595026f62eba141c4109ebadea02d907a4369351fdf5b573adb64679b823f5c869c5f6799458926b1f29f29aea50a17cf7acedc99354c6787391

Download Submit
\Users\Admin\AppData\Local\Temp\hyzoz.exe

Filesize
172KB

MD5
502f92390fb9de9fbeb2e87625e30935

SHA1
0399be5838cd01ecdba840e46b61e70eb52b94a2

SHA256
c7f0e27a447855832bf108340f72c772ba65962b12cf9ad5751610b6f88d2764

SHA512
9185163fc481077b5460a9a20ea4a2c1ec0492649edb48cc87bebb64dd5a39060c63ac79f24b7df874167ad8b058f6bc906974fa67409dd559fdd6f1e6f4da18

Download Submit
\Users\Admin\AppData\Local\Temp\wasuh.exe

Filesize
332KB

MD5
77088699714de6fd40685c08b21ff699

SHA1
f13153d0aa4d1716c7d4b56ce8914cb569e5c834

SHA256
7b8498ebb7db7c9218fa02b6f2feebc0c59a23523fff128b0ca83b262dc8533b

SHA512
83a63d2c43dab213c44f254dc66e3c8fb89c6cc23e461851f72dd4e04923a910f1f7d3521163db2e72f52597180f005fcea2cca2cfd5deb01f2e822814f370e0

Download Submit
memory/1892-45-0x0000000000FE0000-0x0000000001079000-memory.dmp

Filesize
612KB

Download
memory/1892-40-0x0000000000FE0000-0x0000000001079000-memory.dmp

Filesize
612KB

Download
memory/1892-49-0x0000000000FE0000-0x0000000001079000-memory.dmp

Filesize
612KB

Download
memory/1892-48-0x0000000000FE0000-0x0000000001079000-memory.dmp

Filesize
612KB

Download
memory/1892-47-0x0000000000FE0000-0x0000000001079000-memory.dmp

Filesize
612KB

Download
memory/1892-46-0x0000000000FE0000-0x0000000001079000-memory.dmp

Filesize
612KB

Download
memory/1892-41-0x0000000000FE0000-0x0000000001079000-memory.dmp

Filesize
612KB

Download
memory/2304-9-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2304-0-0x0000000001360000-0x00000000013E1000-memory.dmp

Filesize
516KB

Download
memory/2304-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2304-18-0x0000000001360000-0x00000000013E1000-memory.dmp

Filesize
516KB

Download
memory/2384-39-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2384-35-0x0000000003200000-0x0000000003299000-memory.dmp

Filesize
612KB

Download
memory/2384-23-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2384-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2384-19-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download