urelas | c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1

Analysis

max time kernel
149s
max time network
89s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
Size

333KB
MD5

b73a1d20ba44fc157c979919730d53b0
SHA1

68decb89026da30677cb4a15bfc06fd6731fcc43
SHA256

c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1
SHA512

885e5a1a60ea24c48a0532833c7c0254665d119c53dfc6ede7c929cbf408450235ba9bc295e0eb8e26ec0587c414795c061288bab0d51a5aa4237925e9e09c08
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9D:vHW138/iXWlK885rKlGSekcj66ciWD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	goriv.exe
2160	hizoq.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
2884	goriv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hizoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goriv.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe
2160	hizoq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2884	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 1232 wrote to memory of 2884	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 1232 wrote to memory of 2884	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 1232 wrote to memory of 2884	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 1232 wrote to memory of 2796	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 1232 wrote to memory of 2796	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 1232 wrote to memory of 2796	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 1232 wrote to memory of 2796	1232	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 2884 wrote to memory of 2160	2884	goriv.exe	33
PID 2884 wrote to memory of 2160	2884	goriv.exe	33
PID 2884 wrote to memory of 2160	2884	goriv.exe	33
PID 2884 wrote to memory of 2160	2884	goriv.exe	33

C:\Users\Admin\AppData\Local\Temp\c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
"C:\Users\Admin\AppData\Local\Temp\c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\goriv.exe
  "C:\Users\Admin\AppData\Local\Temp\goriv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\hizoq.exe
    "C:\Users\Admin\AppData\Local\Temp\hizoq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
c326a90cd16d97acc9229102e6666204

SHA1
93c2b71d8d210da2c5cd2ea5b147eba0cad85022

SHA256
887a78279680dece945f2b3f1f84e4e071a035b5d3be545b22b87d272c1f8d5b

SHA512
f7a3401e4684c1f1fb50ee2265dcd21dd952f11c2b9149362f5f9f4ce1c8cc6c227e284d373a79294dc6c4abf03dd31d1dfed7e5bba99ac2a2655cd829343a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
677f896daad9e8c48d58521a13998ab7

SHA1
c1857b70baeea6f57fe732f9d04475db400cf7bd

SHA256
b453fac792688c97064b813624d7eb6f5f0ae914e4ca6653e4a4347527d9ea60

SHA512
9fe9684b43df66c9e433a5e752b87f34b042be38f1526f9728101933ae9175ae1052e272cef89ab53ca878b61e4fb287711e342430226dda7a684255eda7ec43

Download Submit
\Users\Admin\AppData\Local\Temp\goriv.exe

Filesize
333KB

MD5
12466b2e8aa72fd8cc0bb0fdd69246ec

SHA1
67f1edb72dafb2ea24cce22b05da481b3a0b3bc0

SHA256
532146419cccb39f7eb175b4a6b7e92c3506d5f3c272c4cbd7c37b56d8251722

SHA512
29c2b227a5168c01564faceee3935adc67eb655e5bab0c3e41b639459e5cdb692badf9237939f182e145ee246a852ea29693d07efda4a14b48a15432dc5a5e78

Download Submit
\Users\Admin\AppData\Local\Temp\hizoq.exe

Filesize
172KB

MD5
bdc026bc51cd59e91c9566130893bca1

SHA1
06a4e52a867324fd05065be16f698c0eb8f948c6

SHA256
db5d2c5d8feaeed0501759b1ba956e59020497ace185e091817898691b179d75

SHA512
e9c072d8ca2122be2c6e04b8b13bfdfbfda7eca051b10722e9b590a3cfc89717c707a97d979c742164ef0d0404ddeb2414cb982b28b369a0fb3b8b9240fd398b

Download Submit
memory/1232-0-0x0000000000880000-0x0000000000901000-memory.dmp

Filesize
516KB

Download
memory/1232-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1232-9-0x0000000002300000-0x0000000002381000-memory.dmp

Filesize
516KB

Download
memory/1232-21-0x0000000000880000-0x0000000000901000-memory.dmp

Filesize
516KB

Download
memory/2160-47-0x0000000001110000-0x00000000011A9000-memory.dmp

Filesize
612KB

Download
memory/2160-45-0x0000000001110000-0x00000000011A9000-memory.dmp

Filesize
612KB

Download
memory/2160-42-0x0000000001110000-0x00000000011A9000-memory.dmp

Filesize
612KB

Download
memory/2160-48-0x0000000001110000-0x00000000011A9000-memory.dmp

Filesize
612KB

Download
memory/2160-49-0x0000000001110000-0x00000000011A9000-memory.dmp

Filesize
612KB

Download
memory/2160-50-0x0000000001110000-0x00000000011A9000-memory.dmp

Filesize
612KB

Download
memory/2160-51-0x0000000001110000-0x00000000011A9000-memory.dmp

Filesize
612KB

Download
memory/2884-24-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2884-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2884-11-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2884-41-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2884-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download