urelas | f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe
Size

441KB
MD5

9e0b301908800e45d47a15d9eebb6fad
SHA1

7b8785b18bd3f5a04488b1c5c4b4a9f7b9593152
SHA256

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec
SHA512

df5fda3ef654d1587f76d008390cdc0b579bedb61738a8d48c8fee801efab6a8c8d32dc66298a29d1dfcc9b737ae5cb96030a6677c1656f80e55304f2a52fd2d
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjH:oMpASIcWYx2U6hAJQnQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2204	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

votul.exewazeuz.exeruofi.exe

pid	Process
2256	votul.exe
2652	wazeuz.exe
1580	ruofi.exe

Loads dropped DLL 3 IoCs

Processes:

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exevotul.exewazeuz.exe

pid	Process
2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe
2256	votul.exe
2652	wazeuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exevotul.execmd.exewazeuz.exeruofi.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	votul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wazeuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

ruofi.exe

pid	Process
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe
1580	ruofi.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exevotul.exewazeuz.exe

description	pid	Process	procid_target
PID 2336 wrote to memory of 2256	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	31
PID 2336 wrote to memory of 2256	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	31
PID 2336 wrote to memory of 2256	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	31
PID 2336 wrote to memory of 2256	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	31
PID 2336 wrote to memory of 2204	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	32
PID 2336 wrote to memory of 2204	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	32
PID 2336 wrote to memory of 2204	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	32
PID 2336 wrote to memory of 2204	2336	f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe	32
PID 2256 wrote to memory of 2652	2256	votul.exe	34
PID 2256 wrote to memory of 2652	2256	votul.exe	34
PID 2256 wrote to memory of 2652	2256	votul.exe	34
PID 2256 wrote to memory of 2652	2256	votul.exe	34
PID 2652 wrote to memory of 1580	2652	wazeuz.exe	36
PID 2652 wrote to memory of 1580	2652	wazeuz.exe	36
PID 2652 wrote to memory of 1580	2652	wazeuz.exe	36
PID 2652 wrote to memory of 1580	2652	wazeuz.exe	36
PID 2652 wrote to memory of 1920	2652	wazeuz.exe	37
PID 2652 wrote to memory of 1920	2652	wazeuz.exe	37
PID 2652 wrote to memory of 1920	2652	wazeuz.exe	37
PID 2652 wrote to memory of 1920	2652	wazeuz.exe	37

C:\Users\Admin\AppData\Local\Temp\f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe
"C:\Users\Admin\AppData\Local\Temp\f2b8bc38e00041653286540956d5ca8d8532fbc1617ef38d7fe6bed514d054ec.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\votul.exe
  "C:\Users\Admin\AppData\Local\Temp\votul.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\wazeuz.exe
    "C:\Users\Admin\AppData\Local\Temp\wazeuz.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\ruofi.exe
      "C:\Users\Admin\AppData\Local\Temp\ruofi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
897ae547cc18c1605a33dd34f0e827d5

SHA1
a350ab98a6e97edb382e58f76fc47ebe239abd20

SHA256
8a056a1ef5e8816d0451d43482728ce80fc997a4ba9357004b86788c86d54bf8

SHA512
7e3bbc21d9a75918854552d743c842ae3ca5a49257e57faa07273546db1ea4d3edd82d9f0baac2f01d2f772e22f9553d8509e6067ed7bd4745c4c663ea2705a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
fe75f72ff98c72906d85d2d1d4145fc1

SHA1
5dc0c5eb6a85a39836d76a2342acc447cdadf2dd

SHA256
82ceaff4e8e53865e1302310bb38824674d47001d8de795b1823455ee461f94b

SHA512
932254a1dc72457c75e054d3299e8bdf22dddd234bbb65dcfe70ff5600c0997869a0ae31e7775e066627ad5f30e010d3eae38b3919add3d6be7c53ae9c378bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a41efc737fd0fdf11b9f9e9e1fcecfe5

SHA1
6717a74ea209ae849659cf8f13e0864ff14230db

SHA256
3bb595890a2e6013fd7eee5ba1bc44ef4dfc9c27803c3a5f9a68fe9beef2d55f

SHA512
34a89c7c40259aa1e0fac5352f55524f5b77cae780840461deb4e8324c6db165f6942876dedc5a6c05f7ec0120a1ea4597c1671518a849e60882e2871bc5ce9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruofi.exe

Filesize
223KB

MD5
48d007c5cde50b5b709eb13730f07002

SHA1
12fdec718f737668913478a68cff1f90401e364e

SHA256
8da32d903b3ffca9acd3dc53435b6cbcc9b817bf751664740a7a80920d643515

SHA512
f631edc2b6e738ee582d56beeeb1a28ef1fcab0e666567ebcb9ac9b7b093a7a2932e84d804582f6fe4181a9edfe2724ba6834a640db4360caa07d15596416dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wazeuz.exe

Filesize
441KB

MD5
b600449742a2020da900f26b7cc0e6de

SHA1
7cae9f8cc2d803967d674a238b522a29938c7448

SHA256
afb38a68815e2a7411db682b57451ad209e1d0726f6ff8e20a2575164453aca5

SHA512
3633bbcef355fbf797c08a53926d260b835600c094120b928f703118708f0e6b7072605a369574a96708c3678ff04a31e91ac821ce71d3f86bca18dca6d5b958

Download Submit
\Users\Admin\AppData\Local\Temp\votul.exe

Filesize
441KB

MD5
790c2bacd78f3d1867e1814ee4c18c9f

SHA1
fe47875dbfed29159d7af59004e976316b9cc2ac

SHA256
8d41cf501e87eef93b107b6f90babfb0963335a53881dafb94da12200bba73c0

SHA512
5ba1a3627fdcdb7db6686ea1718c6771ff40463c6c90e1c32b500624ca37b529011bf6c795a82bedd96a49d9d49b261672dc9fbc1add4c54eae4f4eb846ae829

Download Submit
memory/1580-38-0x00000000003A0000-0x0000000000440000-memory.dmp

Filesize
640KB

Download
memory/1580-54-0x00000000003A0000-0x0000000000440000-memory.dmp

Filesize
640KB

Download
memory/1580-53-0x00000000003A0000-0x0000000000440000-memory.dmp

Filesize
640KB

Download
memory/1580-52-0x00000000003A0000-0x0000000000440000-memory.dmp

Filesize
640KB

Download
memory/1580-51-0x00000000003A0000-0x0000000000440000-memory.dmp

Filesize
640KB

Download
memory/1580-50-0x00000000003A0000-0x0000000000440000-memory.dmp

Filesize
640KB

Download
memory/2256-27-0x0000000002270000-0x00000000022DE000-memory.dmp

Filesize
440KB

Download
memory/2256-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2336-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2336-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2652-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2652-36-0x0000000003B90000-0x0000000003C30000-memory.dmp

Filesize
640KB

Download
memory/2652-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2652-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download