urelas | 04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
Size

448KB
MD5

1ed68cb1d469c04c1d1c48e84dffd855
SHA1

4f9c195a777ab598b131b45f60b401ff3f5f72aa
SHA256

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb
SHA512

292b13bf860c98f5ca1ceb2cbaad63680142f5436ed532fd6d5692289678d53fd2766fca3e17a9a236f90a1face2e1b5f646d62ffa166dd59afdd95cc1b744cf
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpomr:PMpASIcWYx2U6hAJQny

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2268	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

urrud.exehohujo.exetihae.exe

pid	Process
2388	urrud.exe
2128	hohujo.exe
3040	tihae.exe

Loads dropped DLL 3 IoCs

Processes:

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exeurrud.exehohujo.exe

pid	Process
1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
2388	urrud.exe
2128	hohujo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exeurrud.exehohujo.execmd.exetihae.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urrud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hohujo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tihae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

tihae.exe

pid	Process
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe
3040	tihae.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exeurrud.exehohujo.exe

description	pid	Process	procid_target
PID 1712 wrote to memory of 2388	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	28
PID 1712 wrote to memory of 2388	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	28
PID 1712 wrote to memory of 2388	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	28
PID 1712 wrote to memory of 2388	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	28
PID 1712 wrote to memory of 2268	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 1712 wrote to memory of 2268	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 1712 wrote to memory of 2268	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 1712 wrote to memory of 2268	1712	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 2388 wrote to memory of 2128	2388	urrud.exe	31
PID 2388 wrote to memory of 2128	2388	urrud.exe	31
PID 2388 wrote to memory of 2128	2388	urrud.exe	31
PID 2388 wrote to memory of 2128	2388	urrud.exe	31
PID 2128 wrote to memory of 3040	2128	hohujo.exe	34
PID 2128 wrote to memory of 3040	2128	hohujo.exe	34
PID 2128 wrote to memory of 3040	2128	hohujo.exe	34
PID 2128 wrote to memory of 3040	2128	hohujo.exe	34
PID 2128 wrote to memory of 2444	2128	hohujo.exe	35
PID 2128 wrote to memory of 2444	2128	hohujo.exe	35
PID 2128 wrote to memory of 2444	2128	hohujo.exe	35
PID 2128 wrote to memory of 2444	2128	hohujo.exe	35

C:\Users\Admin\AppData\Local\Temp\04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
"C:\Users\Admin\AppData\Local\Temp\04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\urrud.exe
  "C:\Users\Admin\AppData\Local\Temp\urrud.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\hohujo.exe
    "C:\Users\Admin\AppData\Local\Temp\hohujo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\tihae.exe
      "C:\Users\Admin\AppData\Local\Temp\tihae.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
0719ec55cb7b679978eacd06bb5f5cb5

SHA1
7d0d8432dede6a2b53e039d6b9d4d1b014ab46aa

SHA256
9bb74dc5e00b2ce46a41c47bcdbe27320fc1f877f55971bfc7fd3438a857d5e3

SHA512
7ee23835c499637fd0b2c3bc773690e5109e8508e6288441e1861dd3291024bd9b7e5e4d8015955d073947cb81094d5b4fd3275e35273b169609a89b553144a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
173c7e00c5ff72f96cd7dd1211e35f20

SHA1
9ffd2fb45cdac78196d6f149f6c6d1ffeb712f5d

SHA256
b04698989e9231c96a9d5be66f7d644a43e98da61d2e8b557430f9dd4d46cc88

SHA512
e20b3de47904b094734bc5654dc6e59f4374cb37bdb005a229c5ced2a9c945ad8ce66be5a95e86b839894d27ce1e7a0b92df16238cec0598886208ee214f71b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bf1a508aa6fe45850ded68bc34e3fa4e

SHA1
0dc8498c65dc1ff3a1fa9de4fbd74d5a6a542bc2

SHA256
ae0407d2f2f767470c1301405986fdfa38a5bdd3ff104e5cad724e3d880fa6bb

SHA512
88d9289b48c4c7e40ddb18bc720e9fd14c6c115ba90e38c2936b21a7e66cbea0ec1071f890fc68f5d94a8954b5ec82a1ef854a0242ad0edee44aeb5ab22745d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hohujo.exe

Filesize
448KB

MD5
ba37ba71280362e6f498a373844f98e7

SHA1
7b5b6dfa55d591b900e5b3c14796f4707d921ce7

SHA256
b50a063f4fb21ce75c06af5023eec952e3a5ca4dea9a71c2d114e28265332807

SHA512
24efcd4aa7c731a1d61d008825784e0a658523835cc9d3a57f3c70ff6f7926c05c900d93326db1b1c4e3f1ba9f73a17ec3e4c4b42d558a1e39c8f457f362827a

Download Submit
C:\Users\Admin\AppData\Local\Temp\urrud.exe

Filesize
448KB

MD5
d44f0c01e0cb78707aefd272fa29442b

SHA1
f6ce8933f3ecab6f5ab77d621c7e8f2e45aefb39

SHA256
534653cb376e0145fef2d2c8f1336a765985e0d2ac402fd147de40cc3285c12c

SHA512
fd7a142113e21da29302a73c7ed70f1c498858dfc342fed4f78c4527a197763ea809a640c7c6ea7ab4be8bc92b81678330066dfd02008851824cde837b685a71

Download Submit
\Users\Admin\AppData\Local\Temp\tihae.exe

Filesize
223KB

MD5
6b99fbdfaefe9a702f8137b4f0e0e947

SHA1
3b72e642c966e49ff698774799425f9feed09364

SHA256
5b83937dce77b2df47c02f57c2a539ced375f73b1489838f20dc8cd44c95f8f9

SHA512
594edb69688a80971ba6d1b1fb72a2438533dbfeec7660cfd9d74d77f0bc75e0b34da3a37a24c47ad233d71204c30759f40d1cd6d1792dc542ff8b6dcec5a5c6

Download Submit
memory/1712-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1712-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1712-17-0x0000000002730000-0x000000000279E000-memory.dmp

Filesize
440KB

Download
memory/2128-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2128-45-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2128-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2388-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2388-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3040-46-0x0000000000F70000-0x0000000001010000-memory.dmp

Filesize
640KB

Download
memory/3040-50-0x0000000000F70000-0x0000000001010000-memory.dmp

Filesize
640KB

Download
memory/3040-51-0x0000000000F70000-0x0000000001010000-memory.dmp

Filesize
640KB

Download
memory/3040-52-0x0000000000F70000-0x0000000001010000-memory.dmp

Filesize
640KB

Download
memory/3040-53-0x0000000000F70000-0x0000000001010000-memory.dmp

Filesize
640KB

Download
memory/3040-54-0x0000000000F70000-0x0000000001010000-memory.dmp

Filesize
640KB

Download