urelas | 8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038

Analysis

max time kernel
149s
max time network
77s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Size

331KB
MD5

9f78b4660bf589e6368eca545febc800
SHA1

edb884285f8a54ac6ba85d3e7204b3425e1eadfb
SHA256

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038
SHA512

aad9405ef2f393d6ab62e0e09c97d1cd2a27fb1ed028a4dc154c2403529d6fce8a5f1a8acad7acb3aaff9ceb5dfe021bea27d4042269fb7c0b6604fbe99222e2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVJG:vHW138/iXWlK885rKlGSekcj66ciEQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2876	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

soaht.execyzer.exe

pid	Process
2952	soaht.exe
2000	cyzer.exe

Loads dropped DLL 2 IoCs

Processes:

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exesoaht.exe

pid	Process
2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
2952	soaht.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

soaht.execmd.execyzer.exe8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soaht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyzer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cyzer.exe

pid	Process
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe
2000	cyzer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exesoaht.exe

description	pid	Process	procid_target
PID 2604 wrote to memory of 2952	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	29
PID 2604 wrote to memory of 2952	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	29
PID 2604 wrote to memory of 2952	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	29
PID 2604 wrote to memory of 2952	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	29
PID 2604 wrote to memory of 2876	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2604 wrote to memory of 2876	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2604 wrote to memory of 2876	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2604 wrote to memory of 2876	2604	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	30
PID 2952 wrote to memory of 2000	2952	soaht.exe	32
PID 2952 wrote to memory of 2000	2952	soaht.exe	32
PID 2952 wrote to memory of 2000	2952	soaht.exe	32
PID 2952 wrote to memory of 2000	2952	soaht.exe	32

C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
"C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\soaht.exe
  "C:\Users\Admin\AppData\Local\Temp\soaht.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\cyzer.exe
    "C:\Users\Admin\AppData\Local\Temp\cyzer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cce5db9a9c3927a00964efd0d09ee9fb

SHA1
2ecbcdb5b55724f97823b0585acb44c5d45afd24

SHA256
5a7d5053843c15912e8092a229ab9243d7859c365454769b3a7203fc1c45ce29

SHA512
17c1da65199112e71fea987b160560836348d55e401706195ac958d5a2994b19900aaa8d13895f2601bc76c05dd610fd7659be5a8eadbb760f3c9f42b7a52f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c80339e41f18a87b7e31fcc2c4d983a5

SHA1
aaf653e83deec70459873ba4dc9ed3716a65e8a9

SHA256
9d670df374de0a0f60ac1c963c808a9db298f884c5361525820dd8e107ad01aa

SHA512
c630da7eda35a30ff855de8943066b0756ac6937011bb88d7bc6c6f7387d5a924d3fa88ab1f79c7667df8bfe42238450f5d245ad71987736123737d02aa8f8bf

Download Submit
\Users\Admin\AppData\Local\Temp\cyzer.exe

Filesize
172KB

MD5
ca2f2595d2b203e8d230df72a997a3db

SHA1
adca24dfb4dd53edcf9e14d7bd731e7d73122ec7

SHA256
4c20b951db33cfae5c290a1f6a99cbbb0bf90dad04beb5da17b72769dc114bad

SHA512
0f29a5604e68034ae7f31fbbe88cc96095cc27d5e8be78da52529ce5002dc8bbccf8742134e7b982036d3710db54b772c1781d92b2a248d9c9caf2f517653414

Download Submit
\Users\Admin\AppData\Local\Temp\soaht.exe

Filesize
331KB

MD5
e961df1cc6fa5decad5feede44500a45

SHA1
76e86f4c9991fcaf0ff1330932efd636f58a136b

SHA256
1f7637bd6dd3da82a8c76ab3099c3dff4dbb64ea6918e82c1daf741422e31c01

SHA512
b3a71a8a6316f2169630d73b00f3ac8a25d67cc610d033b190060fdbfdf0060d6866a705c0fcbf8a6913526bed6e95dfa855c8a856f4fde7f1f1a3baab252a07

Download Submit
memory/2000-47-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2000-51-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2000-50-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2000-49-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2000-43-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2000-42-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2000-48-0x0000000001210000-0x00000000012A9000-memory.dmp

Filesize
612KB

Download
memory/2604-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2604-9-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/2604-21-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2604-0-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2952-11-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/2952-41-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/2952-37-0x00000000033D0000-0x0000000003469000-memory.dmp

Filesize
612KB

Download
memory/2952-24-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/2952-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download