urelas | 88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
Size

332KB
MD5

35506475a0a8a4c0429a15340d2fab27
SHA1

35e70cac093ecc3e47a88bcecea97b8b0b893560
SHA256

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0
SHA512

4b9c4bea129d323f0d637a5fa60d37ca3c6400a5b7463a8b9811455edcb3492982b882178f2af9c5d1af21b397b42dd98d0e82db93ac6e09097bbf11115860db
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVF:vHW138/iXWlK885rKlGSekcj66ciEF

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
840	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

hafyn.exeiztot.exe

pid	Process
904	hafyn.exe
2348	iztot.exe

Loads dropped DLL 2 IoCs

Processes:

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exehafyn.exe

pid	Process
1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
904	hafyn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exehafyn.execmd.exeiztot.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hafyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iztot.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

iztot.exe

pid	Process
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe
2348	iztot.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exehafyn.exe

description	pid	Process	procid_target
PID 1556 wrote to memory of 904	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	30
PID 1556 wrote to memory of 904	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	30
PID 1556 wrote to memory of 904	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	30
PID 1556 wrote to memory of 904	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	30
PID 1556 wrote to memory of 840	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	31
PID 1556 wrote to memory of 840	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	31
PID 1556 wrote to memory of 840	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	31
PID 1556 wrote to memory of 840	1556	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	31
PID 904 wrote to memory of 2348	904	hafyn.exe	34
PID 904 wrote to memory of 2348	904	hafyn.exe	34
PID 904 wrote to memory of 2348	904	hafyn.exe	34
PID 904 wrote to memory of 2348	904	hafyn.exe	34

C:\Users\Admin\AppData\Local\Temp\88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
"C:\Users\Admin\AppData\Local\Temp\88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\hafyn.exe
  "C:\Users\Admin\AppData\Local\Temp\hafyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\iztot.exe
    "C:\Users\Admin\AppData\Local\Temp\iztot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2cc086749471fe7255e7208554d4f970

SHA1
c4ab504a3f9e5ee49b2980af642944e62e6e24b5

SHA256
846202b2fd88edfa36702254985f6a9b615e322344cf037d995a00d3f80d3834

SHA512
4e16ee830a363522fc85f000adcc977a003e00224f8793244c8145bb6b330d4edd3b5a51eaa8dae1d99644a41f92206405284dd4a196edeec3a7343051289de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d9cc8296375cd4d7063918dd80300538

SHA1
1bdafd7bc0dcd64076325f476365f0ca4904e409

SHA256
d5b126813c4ca086ff3f6bd3c2bafcca70b2f750e203a8f02960d070fd378c95

SHA512
780ecee55569ae8301212275fa85f03cd86c5edb16aa316429c3767035ad1ea0df21e7377470ea0e11695d5d28c322de874f9bad2e438cf707fdff86faa29c4c

Download Submit
\Users\Admin\AppData\Local\Temp\hafyn.exe

Filesize
332KB

MD5
a983f73c1ebc8ca21f7251215e66c12c

SHA1
d757c492850caa91924696228d4ceca2bc80d62c

SHA256
010a6540d7fe4fb448a21d62c543f8688aeabb90452835ef79b33470e3e3dc0f

SHA512
8c13d56f21a020f32574ca8bf456960a28aaa50ac5773d201c37aa1eff19c380fb6ab4eefa9c034e6774f1921b92bd0c25b7f92bd9fdc5ed49cea09077c4f0fd

Download Submit
\Users\Admin\AppData\Local\Temp\iztot.exe

Filesize
172KB

MD5
c684ca4eb643f2407235009f5f2fdbfa

SHA1
3944a3e1572c290a5cfbd36591d5d0208e752ed4

SHA256
9220fa2645e37c65e3fd9945a952b135c4005c290b0804965fd7d63c629efe9c

SHA512
9ea12f2b56b6c79ee1306423832b813fd7e0cf5219a1b2bafacd5e3146135f23f3a540778a3b413769c280896d86df26df66da86c3f976678514ca643c3c0d4f

Download Submit
memory/904-17-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/904-24-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/904-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/904-40-0x0000000003F90000-0x0000000004029000-memory.dmp

Filesize
612KB

Download
memory/904-39-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/1556-7-0x0000000002640000-0x00000000026C1000-memory.dmp

Filesize
516KB

Download
memory/1556-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1556-0-0x0000000000820000-0x00000000008A1000-memory.dmp

Filesize
516KB

Download
memory/1556-21-0x0000000000820000-0x00000000008A1000-memory.dmp

Filesize
516KB

Download
memory/2348-42-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/2348-43-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/2348-47-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/2348-48-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/2348-49-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/2348-50-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/2348-51-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download