urelas | e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Size

440KB
MD5

a40cb26479ed7aa42946772c7b2e7021
SHA1

b768c64e7ba1bb171ac3d0acf1a43390f1d214bf
SHA256

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0
SHA512

d60f24ca50d22575a1fdd28636ea6238e5da657a6a9d4ea07eb2a117eef59e4bbe7c442ff9318feeb534779cc6f37a9e743d18eb54b21ed2bd0eeab67c046f22
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjP:oMpASIcWYx2U6hAJQng

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2356	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

ofcys.exefuacpi.exeepbii.exe

pid	Process
1852	ofcys.exe
2500	fuacpi.exe
1912	epbii.exe

Loads dropped DLL 3 IoCs

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exeofcys.exefuacpi.exe

pid	Process
2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
1852	ofcys.exe
2500	fuacpi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exeofcys.exefuacpi.execmd.exeepbii.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofcys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuacpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epbii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

epbii.exe

pid	Process
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe
1912	epbii.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exeofcys.exefuacpi.exe

description	pid	Process	procid_target
PID 2568 wrote to memory of 1852	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2568 wrote to memory of 1852	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2568 wrote to memory of 1852	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2568 wrote to memory of 1852	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2568 wrote to memory of 2356	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 2568 wrote to memory of 2356	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 2568 wrote to memory of 2356	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 2568 wrote to memory of 2356	2568	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 1852 wrote to memory of 2500	1852	ofcys.exe	33
PID 1852 wrote to memory of 2500	1852	ofcys.exe	33
PID 1852 wrote to memory of 2500	1852	ofcys.exe	33
PID 1852 wrote to memory of 2500	1852	ofcys.exe	33
PID 2500 wrote to memory of 1912	2500	fuacpi.exe	35
PID 2500 wrote to memory of 1912	2500	fuacpi.exe	35
PID 2500 wrote to memory of 1912	2500	fuacpi.exe	35
PID 2500 wrote to memory of 1912	2500	fuacpi.exe	35
PID 2500 wrote to memory of 2956	2500	fuacpi.exe	36
PID 2500 wrote to memory of 2956	2500	fuacpi.exe	36
PID 2500 wrote to memory of 2956	2500	fuacpi.exe	36
PID 2500 wrote to memory of 2956	2500	fuacpi.exe	36

C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
"C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\ofcys.exe
  "C:\Users\Admin\AppData\Local\Temp\ofcys.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\fuacpi.exe
    "C:\Users\Admin\AppData\Local\Temp\fuacpi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\epbii.exe
      "C:\Users\Admin\AppData\Local\Temp\epbii.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b23730e95b71c653c3d0a3bea8724c5d

SHA1
b13f909a42dc9d13082f543aef1e53adaad821f3

SHA256
e1f01373c6afddad4b3ba7a3c78e2e0e09147366cf7708d28e3daae5cc2cfcc0

SHA512
e4bdecdfb3df8b3f168f6381e8abfa618bd517ab3cdc549c16bf22b68baf2827dd4322012e57978869298cd03f8ac4c8401015e4bade9fc31b4c19aafed6dc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7ada69ef93df168f2dfd09b6baea0330

SHA1
564a9a2b577ee28fc233b83ca2bde6c66805a1e3

SHA256
a6cee044f4100f5b651e869859779b5d09ea6138d3cbe0a9ae712831c488019e

SHA512
606e9cd22ee9ae389746feb4a2b2c481da9c6db1ec2f18e87c15960f0ec892986f22736c6b195b9b1bd5fd00c3aed0c234485d444f852584c2d7596cfe287e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuacpi.exe

Filesize
440KB

MD5
65d4f1a4b454eed0d1630b189cfabbc1

SHA1
c2c06a143cc3f68d4031f8a42a1da3003344dc55

SHA256
eac982ce298b5f01382ceb10a2bd4f6f16856fa4bd0dd98f02cefc399b866f62

SHA512
d1413fd3d5f9269d4c014d95c96bb30ea4b9b49da07acd0a5e4a8f0123efe1c719d88efe0eff37c1d6b1183dd3137531cfe37222d1d3d0896859564692153fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aa18d7a638bd1e2075624db51b98bf5a

SHA1
027f3443e55bf745830c381c2757b8f481a890bd

SHA256
6117b85c5b3fd6959db09d32c7f582410cbd0d7751bbfdcbce88116dca2b8d81

SHA512
d72933e53ced63636d482491494ac33c37ff1327a59aec41675a38e47286c1efb5545bdc0cb93293f3d2cf89549926dff3b34056374daca8dac48ae77aa3eea2

Download Submit
\Users\Admin\AppData\Local\Temp\epbii.exe

Filesize
223KB

MD5
af527412c73b25bf52cc4a44aaf63bf7

SHA1
bdfad463199f5589ab24dd1f3a6950d62b549808

SHA256
cac95feb63b7c0e202b38a37683297af1648fae25b80c2668596d1f726002b58

SHA512
f95fddd46131d5b6dab78a6442ee3eb02f8e81b05f717d36187561fc668b2d85756911ad4cd4217a4dad0d28d7a2248023ea969802d32de1fa545e6c23b56285

Download Submit
\Users\Admin\AppData\Local\Temp\ofcys.exe

Filesize
440KB

MD5
85f328ca21a581e540c39a3e1636b83e

SHA1
a95e162cb6a7c358eccaf6fa90e760a3ea66b04e

SHA256
cbd1fab7384a5940c9d6006ac1b3fdc814dd1f0e9474e8f4c07472d1463bab33

SHA512
f918f4fc10869f2d5b1fde75954a01824c2df71d3a0bc4d443046c8177143784cf8d9c3b9dc6c1dd4ce43862fac2be800feaccb3ae2fc75690eb8e3a5a952794

Download Submit
memory/1852-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1852-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1912-50-0x0000000000F10000-0x0000000000FB0000-memory.dmp

Filesize
640KB

Download
memory/1912-46-0x0000000000F10000-0x0000000000FB0000-memory.dmp

Filesize
640KB

Download
memory/1912-51-0x0000000000F10000-0x0000000000FB0000-memory.dmp

Filesize
640KB

Download
memory/1912-52-0x0000000000F10000-0x0000000000FB0000-memory.dmp

Filesize
640KB

Download
memory/1912-53-0x0000000000F10000-0x0000000000FB0000-memory.dmp

Filesize
640KB

Download
memory/1912-54-0x0000000000F10000-0x0000000000FB0000-memory.dmp

Filesize
640KB

Download
memory/2500-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2500-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2500-44-0x0000000003090000-0x0000000003130000-memory.dmp

Filesize
640KB

Download
memory/2500-43-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2568-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2568-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download