urelas | 07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe
Size

435KB
MD5

3b201875436ad770fa6c1764993e6f57
SHA1

e38476ddebbb73d84ec738b643e4a4d72f3d8e99
SHA256

07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1
SHA512

d4e49272f5228bc4b6658e53df4a7165511f14082a77163f4ccaeae25007b292a339b6ff82e379f987cad3988916a0cb7e205a99a4db126198409dea97ddf05a
SSDEEP

6144:iEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpvU:iMpASIcWYx2U6hAJQnX

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2784	eqdoy.exe
2328	ozahzy.exe
2716	tesio.exe

Loads dropped DLL 3 IoCs

pid	Process
2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe
2784	eqdoy.exe
2328	ozahzy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozahzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tesio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqdoy.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe
2716	tesio.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2784	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	30
PID 2856 wrote to memory of 2784	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	30
PID 2856 wrote to memory of 2784	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	30
PID 2856 wrote to memory of 2784	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	30
PID 2856 wrote to memory of 3052	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	31
PID 2856 wrote to memory of 3052	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	31
PID 2856 wrote to memory of 3052	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	31
PID 2856 wrote to memory of 3052	2856	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	31
PID 2784 wrote to memory of 2328	2784	eqdoy.exe	33
PID 2784 wrote to memory of 2328	2784	eqdoy.exe	33
PID 2784 wrote to memory of 2328	2784	eqdoy.exe	33
PID 2784 wrote to memory of 2328	2784	eqdoy.exe	33
PID 2328 wrote to memory of 2716	2328	ozahzy.exe	34
PID 2328 wrote to memory of 2716	2328	ozahzy.exe	34
PID 2328 wrote to memory of 2716	2328	ozahzy.exe	34
PID 2328 wrote to memory of 2716	2328	ozahzy.exe	34
PID 2328 wrote to memory of 368	2328	ozahzy.exe	35
PID 2328 wrote to memory of 368	2328	ozahzy.exe	35
PID 2328 wrote to memory of 368	2328	ozahzy.exe	35
PID 2328 wrote to memory of 368	2328	ozahzy.exe	35

C:\Users\Admin\AppData\Local\Temp\07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe
"C:\Users\Admin\AppData\Local\Temp\07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\eqdoy.exe
  "C:\Users\Admin\AppData\Local\Temp\eqdoy.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\ozahzy.exe
    "C:\Users\Admin\AppData\Local\Temp\ozahzy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\tesio.exe
      "C:\Users\Admin\AppData\Local\Temp\tesio.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b9e9d601b11b265e1a3d2be1487441b3

SHA1
6941dc6e1d8480b11ac290e0ef6e0c7df6e7c55d

SHA256
3a9dee0c17e284a24476f786bf619defb669a3fdaae3f91d9e2ce2cdc8cfb8f2

SHA512
db837aed445d3e8d25a13540c11dcda0e5fe8f350d7d1533bfa3fea468f69b90b533500cb756ca11e5b20a8775ee33f9fe71d36966851f318fb68f4e5aa2bef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f8cfcd38070939252b05141929ed0255

SHA1
ae0aa51b82fbc708849658a0849e18723008725c

SHA256
123427ee56b6c666bdb48005813a84d3f94c1369b6edb10996d2f492e6db3cf8

SHA512
07600c4749cd5f38f149e383d7efe12731a53724772e3b4fde6b84735dde2fb304f8b85613e8d8e55ef1c3debb52f3e7a07a13552b46f928f26eb1beae5fbca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
da014828eedf552d7d027b35cabd9123

SHA1
bfe6b3763006a9002b33552da5a0b4c8699ef9e1

SHA256
a642f4a87016bbd00a1974ec35239fdeea32a48df4149e6ce53c40c7fcb0153b

SHA512
53898c136d0c6ed594df5a8bf6239b2bfddf0609655e63fb0d2f286af0826c03e989026dbb2d7a8e97316a0f76ff45bd188ce498a95d4c66107d7de71b5f5f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozahzy.exe

Filesize
435KB

MD5
b1cef7024aab532983c6808ed444c2bf

SHA1
80735ab9ef5355de8610d8e96e4d0c7a138ccb80

SHA256
374d93ca18b9b8b3c063cf0b4a7cc478040ce11553fe2866758d83fa442f294b

SHA512
0f248cdde71312cbc568b3f15e41093e624defbdef65291fe46c16c23fa4d364976dd3c4a25313793488de1b7d9f2314ccfc6c34cabb2cf5600e5cffab20cf86

Download Submit
\Users\Admin\AppData\Local\Temp\eqdoy.exe

Filesize
435KB

MD5
6a335753ad6d7edb6bdb80110e999b17

SHA1
a14ac429fba9075e8b0575ba27124c9a455cc658

SHA256
56dc4b1ad40d5d0c30039cb0b971f6c9ddca1a0dbff2c76fdd2f49d04156f50b

SHA512
7265c7f1765dd6ce9a00e02e1033ce8367de36b3b859054e8e1b299b292945bee53345c86845645c243790835484cab16b450a9ee5f8dc083e86d27e720f0d64

Download Submit
\Users\Admin\AppData\Local\Temp\tesio.exe

Filesize
223KB

MD5
676d891f63c67b2b6efc77fa2d795abb

SHA1
fb9079af3e5ab3fce3526452fbb89e324791d10f

SHA256
a31cd82c27e5b2ab9d8ccf53b130e7aa57fb31a9785f92750ffefd5d1b62c871

SHA512
4a27ca5bbe0290e03ad9285677cf6339a61d56840042a237ffce44a3cda77cfa71c5d6caf3ac0710fb6e8a2850116e14b879d2dc58844afd687b13c767c4a35f

Download Submit
memory/2328-39-0x00000000038A0000-0x0000000003940000-memory.dmp

Filesize
640KB

Download
memory/2328-48-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2328-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2328-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2716-56-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2716-55-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2716-54-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2716-53-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2716-40-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2716-52-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2784-26-0x0000000003020000-0x000000000308E000-memory.dmp

Filesize
440KB

Download
memory/2784-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2784-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2856-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2856-10-0x0000000002630000-0x000000000269E000-memory.dmp

Filesize
440KB

Download
memory/2856-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download