urelas | c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
Size

332KB
MD5

dd283e263e2b0339bf8bb6a19a7ef990
SHA1

b91c87e5ca1573739a501f8bd91b041a1adbe82f
SHA256

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884
SHA512

198932fada52cf3b8b908c634251a252a14e8118950222c490a3249004d6fca78acfdb1e789fbfbfca2425a0365561d7637c4307e1ec201d9bf72c65d0436b3b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVb:vHW138/iXWlK885rKlGSekcj66ciEb

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2852	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

razeq.exemeboe.exe

pid	Process
2044	razeq.exe
1620	meboe.exe

Loads dropped DLL 2 IoCs

Processes:

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exerazeq.exe

pid	Process
2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
2044	razeq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

razeq.execmd.exemeboe.exec7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	razeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	meboe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

meboe.exe

pid	Process
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe
1620	meboe.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exerazeq.exe

description	pid	Process	procid_target
PID 2476 wrote to memory of 2044	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	31
PID 2476 wrote to memory of 2044	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	31
PID 2476 wrote to memory of 2044	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	31
PID 2476 wrote to memory of 2044	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	31
PID 2476 wrote to memory of 2852	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	32
PID 2476 wrote to memory of 2852	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	32
PID 2476 wrote to memory of 2852	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	32
PID 2476 wrote to memory of 2852	2476	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	32
PID 2044 wrote to memory of 1620	2044	razeq.exe	35
PID 2044 wrote to memory of 1620	2044	razeq.exe	35
PID 2044 wrote to memory of 1620	2044	razeq.exe	35
PID 2044 wrote to memory of 1620	2044	razeq.exe	35

C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
"C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\razeq.exe
  "C:\Users\Admin\AppData\Local\Temp\razeq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\meboe.exe
    "C:\Users\Admin\AppData\Local\Temp\meboe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
12cc31e42f61ba51d1ef42b3dfd7dcad

SHA1
feec1c4dd538f7e2a03b9a9edcb2ae38db9b9275

SHA256
640d2e011c0789c0c436c6bd990adc5042a65341afd0d6c14ed099ba24de54ee

SHA512
9c2fa7c203fdf61f1757462a612e45fdc975b651bb3a2c9d7d218400e6f087c01d86ed82b5dc446ec44644de06aad9dc54158695332393463bb7f86eaee8d8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f35653cab1e6a93641cd261fe1de2529

SHA1
41ec7b623014dbecd6e324b58adc25940b25d007

SHA256
86a93fd520e19f8ed1937fac33d754130cd1d21ad2856ac6edabf8ec0e829e0b

SHA512
f91dfd8658690b5508a201c423432db1597a3a4e4e558ae06b47276ed7aafab2b739df1d1d20570a209c15d816a53ede9df6cfb9e085fff87b9d22ec664749c0

Download Submit
\Users\Admin\AppData\Local\Temp\meboe.exe

Filesize
172KB

MD5
0418edcd041a8ef3e2a8b46745edb289

SHA1
30122e9ff5d5881e79ff326162bc45c503f8541d

SHA256
754543a3320e0d2ec7cbd56e4c179853cfcf1261eada06daa501fe86f21cb5a5

SHA512
7b459f9b378a9a0346e4993ed6d5eb4823c7c3f4b0513ea23f2408b43ac9e62c0d3e86e378638a9de11d0375b83ed5dc514941c764cd52d2e1c39ea440ed30a3

Download Submit
\Users\Admin\AppData\Local\Temp\razeq.exe

Filesize
332KB

MD5
cfb49f4e5719fbb25162faf253f472e7

SHA1
f33a0b8f5142a827d8ed236c7eb2156aeb77f74f

SHA256
05a6755cbc6905ca08af76672174cdc7b1afc897f9ea8b96bb7431ca0a7d2d00

SHA512
da28a690e53eabb3f497c7daa1c4953010ed45552755a446f67579eab86a15e322181765b10c6fb6b557c61d93a61d305759c21e3249fd8c35844d4b883dc7b4

Download Submit
memory/1620-47-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/1620-43-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/1620-51-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/1620-50-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/1620-42-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/1620-49-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/1620-48-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2044-40-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2044-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2044-38-0x0000000003340000-0x00000000033D9000-memory.dmp

Filesize
612KB

Download
memory/2044-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2044-23-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2476-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2476-7-0x0000000002310000-0x0000000002391000-memory.dmp

Filesize
516KB

Download
memory/2476-0-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/2476-20-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download