urelas | 5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Size

537KB
MD5

d20fee1a424647bee9f78e3942ba37f9
SHA1

a2c0bf2a4ce15eb5a151eadd37a1d51e9e87e3ac
SHA256

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757
SHA512

9bb9a502cee133b023d26d23e28a1037cb41f896e5c80e7e97f6e78eec42e53dceae1fa7600a9cd0bb9adb73b06f28be6442cb1eaada08de9afff8571a2b0e5f
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPH:q0P/k4lb2wKatH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3060	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

pyhad.execyxol.exe

pid	Process
2444	pyhad.exe
1996	cyxol.exe

Loads dropped DLL 2 IoCs

Processes:

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exepyhad.exe

pid	Process
2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
2444	pyhad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exepyhad.execmd.execyxol.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyhad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyxol.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cyxol.exe

pid	Process
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe
1996	cyxol.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exepyhad.exe

description	pid	Process	procid_target
PID 2560 wrote to memory of 2444	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2560 wrote to memory of 2444	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2560 wrote to memory of 2444	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2560 wrote to memory of 2444	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2560 wrote to memory of 3060	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2560 wrote to memory of 3060	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2560 wrote to memory of 3060	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2560 wrote to memory of 3060	2560	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2444 wrote to memory of 1996	2444	pyhad.exe	34
PID 2444 wrote to memory of 1996	2444	pyhad.exe	34
PID 2444 wrote to memory of 1996	2444	pyhad.exe	34
PID 2444 wrote to memory of 1996	2444	pyhad.exe	34

C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
"C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\pyhad.exe
  "C:\Users\Admin\AppData\Local\Temp\pyhad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\cyxol.exe
    "C:\Users\Admin\AppData\Local\Temp\cyxol.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c2eb983e8ced9ab28290b9e78fa44f80

SHA1
051ec107b9b7f56da21bd418b07489c414162000

SHA256
ad3ec2686dea0acd066b44085130ef74ac8fc02ac49452d000045557bade23b8

SHA512
df30a2c2b746442b37e4280e56605b0380a3f98bd0af45abb800f34cfd4fea33ace316131f1be74d0c1dcc720c29b4502d6a897a184ce9c89462b97d5a880332

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bc78446c5f5b65af28672f0618f7a3b2

SHA1
3ab7f788d174e93e3770f83ecdcd5686711e295a

SHA256
3f7cd65fdf4221817668924b2e8bfada7bc1748f99dc08744baf1c9b9fddcb43

SHA512
85aa186ac6f84984d47067b022dc1809dac8857726c274816e6b8ae4634ec3bd722284ebc81714a98897a1a4039ddcb7e5d867f0abc34d1193003af8da9937a7

Download Submit
\Users\Admin\AppData\Local\Temp\cyxol.exe

Filesize
236KB

MD5
20474aec95514637f3624213870a3f81

SHA1
c6ad58e6248a12ba8861575456e3ac1729c3120f

SHA256
70c15a52ce02df2d199b7eaf0a583c5ffc8efbe69b1a73bdc87f045e210ef719

SHA512
ee2658801814428ae60ac0f55aa510c39410d2fd2a4689dbc7a81038e9c72a70c10cd62c11aebaa11c347b536642a300c474b70e0eebd80f29f6dda243edaeb7

Download Submit
\Users\Admin\AppData\Local\Temp\pyhad.exe

Filesize
537KB

MD5
0d5ac4c34279feb84d33dd0ea619c06d

SHA1
3e83c8a9da939228835838aee50c7f440a717a94

SHA256
b43eadd1cc700e4383ef91171636285a8a0dadd2f035baa8a22abf4d6fde6e11

SHA512
5e1971177ecb90bf0b45314c9156b68ddea13fa39d82057e86327bdfd38a45f2c8230b82b2d0eb885d4206219cd8751e1c56bf2cee49e0506f28b6230fa4f9bc

Download Submit
memory/1996-30-0x0000000000FF0000-0x0000000001093000-memory.dmp

Filesize
652KB

Download
memory/1996-36-0x0000000000FF0000-0x0000000001093000-memory.dmp

Filesize
652KB

Download
memory/1996-35-0x0000000000FF0000-0x0000000001093000-memory.dmp

Filesize
652KB

Download
memory/1996-34-0x0000000000FF0000-0x0000000001093000-memory.dmp

Filesize
652KB

Download
memory/1996-33-0x0000000000FF0000-0x0000000001093000-memory.dmp

Filesize
652KB

Download
memory/1996-32-0x0000000000FF0000-0x0000000001093000-memory.dmp

Filesize
652KB

Download
memory/2444-26-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2444-29-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2444-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2444-10-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2560-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2560-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2560-9-0x0000000002F20000-0x0000000002FAC000-memory.dmp

Filesize
560KB

Download