urelas | 2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Size

327KB
MD5

8683596a79ee62e258067bbadaa4e0b0
SHA1

2804b7a54623958f9feae3720d47cf43d190301c
SHA256

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7
SHA512

776cf6027bfa30d32fb61e54cbed0e9a34a9e20e6645f83cf2e434952a7b9c641410b81ddd816570c41449ce30e90b33b21041d34ba43419526b9ff664fbc97d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2408	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ofipo.exetedye.exe

pid	Process
2468	ofipo.exe
2224	tedye.exe

Loads dropped DLL 2 IoCs

Processes:

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exeofipo.exe

pid	Process
2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
2468	ofipo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeofipo.exetedye.exe2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofipo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tedye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

tedye.exe

pid	Process
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe
2224	tedye.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exeofipo.exe

description	pid	Process	procid_target
PID 2500 wrote to memory of 2468	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2500 wrote to memory of 2468	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2500 wrote to memory of 2468	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2500 wrote to memory of 2468	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	30
PID 2500 wrote to memory of 2408	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2500 wrote to memory of 2408	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2500 wrote to memory of 2408	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2500 wrote to memory of 2408	2500	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	31
PID 2468 wrote to memory of 2224	2468	ofipo.exe	34
PID 2468 wrote to memory of 2224	2468	ofipo.exe	34
PID 2468 wrote to memory of 2224	2468	ofipo.exe	34
PID 2468 wrote to memory of 2224	2468	ofipo.exe	34

C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
"C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\ofipo.exe
  "C:\Users\Admin\AppData\Local\Temp\ofipo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\tedye.exe
    "C:\Users\Admin\AppData\Local\Temp\tedye.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8f89209875b68dc7aeabfe4e5d52c438

SHA1
2c9fc8e53f1dbda9a7d4a30f563eec47b2dba870

SHA256
1fbe0b77c72646d6661853e1ed49513eac6cd002259fbc2ccb8a3550f6e79725

SHA512
264828e36193cb454896c4243afd62f27fbd5838903f349ea31998c8de52ec6062f4ae7531d8385613dd01d1f6587d077ac36fa0a9b1a01eb8b7b531346af803

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7fdcc394a2f856c5821ff5f08a00980d

SHA1
9ab25f2de45430d1974db39b76b49486f5aa1b7d

SHA256
13e8d089dd9958e84f0c45df2fda90f360d3e4ecc05682142af283a1e1b8cf2e

SHA512
e0df58d48b5bf3afb9469d643db2ad915ed191a32a28d2d9869815409b460dd86c5263f8fa695d9f325d9b88d1443c7d25497b1be3ae73909431a528ce96aaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofipo.exe

Filesize
327KB

MD5
9c969d36935259ae2916678078ea0727

SHA1
25f2ef7e35ee150597c017c57bac4725a82d272c

SHA256
2e0875ef4e9c64355daf977ca0ee7807e542857bd36322599dc8291e32870340

SHA512
4498565618478ffcd0f6c2fa05b7e0d4a01bc6fc36ba4aa658f13071571718327283c9bf98761efc10a58ab141a53015e473a861c783c1794a265e50d4dc40a5

Download Submit
\Users\Admin\AppData\Local\Temp\ofipo.exe

Filesize
327KB

MD5
cdb8c5690169f4b4cafda90c699cda78

SHA1
ce3656fab2bd56502151b00b7f0bee39f05e0327

SHA256
4bc0edcc6ab510c379d775546b1342d3bd41a26c0497c192651c8a94d6e0f717

SHA512
e7ba4e2d06e54b635e31286eb2d69d433dba593807fa526d6fb0b4349309c79135c1ab23526a84911fb5d382585d8c48b12332094aeae3071f19c92a74e9f742

Download Submit
\Users\Admin\AppData\Local\Temp\tedye.exe

Filesize
172KB

MD5
90411c65389c1e58b93ced2fe05e6238

SHA1
7e3106eba956c0223eccc58700fdcf226b1d3f5b

SHA256
8c9292e644fc85747b67cae345deaa222b186a478c1cdf83b419dcd88e6e7bd7

SHA512
f57b53927310a7a78810ccde11745a3a71c86a172e4ae45dc1b58ffc8e879bb3363752cbe3d248fd70f7bdbeca442c4fa0483c79bc21ec286d82a56e1fe0fa7c

Download Submit
memory/2224-43-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2224-53-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2224-52-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2224-51-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2224-50-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2224-49-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2224-44-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2468-11-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2468-40-0x0000000002E50000-0x0000000002EE9000-memory.dmp

Filesize
612KB

Download
memory/2468-42-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2468-24-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2468-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2468-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2500-21-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/2500-9-0x00000000023D0000-0x0000000002451000-memory.dmp

Filesize
516KB

Download
memory/2500-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2500-0-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download