urelas | 9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Size

348KB
MD5

a89691f3add0a3fa328f60dacbb8e2aa
SHA1

a3fcdd5e991e835f7956c6ef5b30bb9c7f59b8a1
SHA256

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4
SHA512

409ad5f9e81d11f26b543611e327b1575589568bd6cebe568b3ff379f1361221a1e4a3925ecbe1ea51628d06d702309e6aa6c2182eb2100b340a8a1ef6e5e8fd
SSDEEP

6144:8/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZ5c:g0G5obGGraOpUWlpZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2552	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

coezx.exetocixo.exeezhog.exe

pid	Process
2564	coezx.exe
2616	tocixo.exe
2324	ezhog.exe

Loads dropped DLL 6 IoCs

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.execoezx.exetocixo.exe

pid	Process
2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
2564	coezx.exe
2564	coezx.exe
2616	tocixo.exe
2616	tocixo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ezhog.execmd.exe9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.execoezx.exetocixo.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezhog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coezx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tocixo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

ezhog.exe

pid	Process
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe
2324	ezhog.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.execoezx.exetocixo.exe

description	pid	Process	procid_target
PID 2032 wrote to memory of 2564	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	28
PID 2032 wrote to memory of 2564	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	28
PID 2032 wrote to memory of 2564	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	28
PID 2032 wrote to memory of 2564	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	28
PID 2032 wrote to memory of 2552	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	29
PID 2032 wrote to memory of 2552	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	29
PID 2032 wrote to memory of 2552	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	29
PID 2032 wrote to memory of 2552	2032	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	29
PID 2564 wrote to memory of 2616	2564	coezx.exe	31
PID 2564 wrote to memory of 2616	2564	coezx.exe	31
PID 2564 wrote to memory of 2616	2564	coezx.exe	31
PID 2564 wrote to memory of 2616	2564	coezx.exe	31
PID 2616 wrote to memory of 2324	2616	tocixo.exe	34
PID 2616 wrote to memory of 2324	2616	tocixo.exe	34
PID 2616 wrote to memory of 2324	2616	tocixo.exe	34
PID 2616 wrote to memory of 2324	2616	tocixo.exe	34
PID 2616 wrote to memory of 800	2616	tocixo.exe	35
PID 2616 wrote to memory of 800	2616	tocixo.exe	35
PID 2616 wrote to memory of 800	2616	tocixo.exe	35
PID 2616 wrote to memory of 800	2616	tocixo.exe	35

C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
"C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\coezx.exe
  "C:\Users\Admin\AppData\Local\Temp\coezx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\tocixo.exe
    "C:\Users\Admin\AppData\Local\Temp\tocixo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\ezhog.exe
      "C:\Users\Admin\AppData\Local\Temp\ezhog.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f2ae8246f3927151f352e04b2e3a603f

SHA1
68b53101d1b8bb79de11eaf3d1926f1d1d25e91b

SHA256
254dc6af7bef48c10c54b6885317e242b65967c2ccffbe6503d5eeaf7caeab65

SHA512
18e5e3f9f1115fe4c1e99453a8a6d9489dd6c42f3c9b09cea599be3cfcc3ab28dd21e4e60af658424ef093a549211d2ad6c1e5ae1809875267cd2f974587e67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d535edbc0b727a20ee3cbaa60c48e415

SHA1
09b952097b25e1870985b30301905e3757c72d2c

SHA256
b9e6f9c8573788f696fdb5515882062db675da4810a83deee0daddb6225e2df8

SHA512
f6602cfbcfdaa2c87dc25fba9d671d071134cfd073b4f38f1662bf75f5be1d1be92549a1b4f81abff9c98a02ee45217af253905fb870328f9c7f9cbe70a03efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5c11ccc3b43f09df3631a3dc2cf99405

SHA1
7b66abd66e004043e8041bc597db2093bfb35f6a

SHA256
5e00fccf806a0851adb8a0f35fe9159889030b4619294d887dc46663da332f05

SHA512
ef94ae9afe342a3b39ebe4d155d182f5e0899d57cab05824d5106e4151a80bd05e0938b1dc6464ce8cc79c48ab01ecdb654eda0411da42977de4d9de7f000906

Download Submit
\Users\Admin\AppData\Local\Temp\coezx.exe

Filesize
348KB

MD5
e24f0ff597e71a2d544ceb877df754b0

SHA1
f15986732ea2ea326f8b0f0af4d413a1f134a29b

SHA256
d2ac1b782a96ebfe0f4052bda89d96b3595aec8886b9cce0d14a402c2c36e787

SHA512
76c401828ef6dde309dc9d36006250811a031b4569ff328d2449996671c309509e25d70e264340b9d37a15d019a77d8fc57621df35754b923daadfa0d2bcb50e

Download Submit
\Users\Admin\AppData\Local\Temp\ezhog.exe

Filesize
115KB

MD5
c063e61f3fb6af4d6c2ae51c71497148

SHA1
58bba07213758f1477a9effc96a83978f777c591

SHA256
18e76af618da6f2267ca76734763b973a352e440808104758dd60509465111a8

SHA512
11728a389ef514374c5840fc482b5ee74dcd5fb8fe8a7ac05506e387f568602af6edf67eb5f9028dbd00bce9a0d9246db1737ee37688c0d223eb715d284df80e

Download Submit
memory/2032-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-11-0x0000000002E10000-0x0000000002E6C000-memory.dmp

Filesize
368KB

Download
memory/2324-61-0x0000000000130000-0x00000000001B2000-memory.dmp

Filesize
520KB

Download
memory/2324-63-0x0000000000130000-0x00000000001B2000-memory.dmp

Filesize
520KB

Download
memory/2324-62-0x0000000000130000-0x00000000001B2000-memory.dmp

Filesize
520KB

Download
memory/2324-58-0x0000000000130000-0x00000000001B2000-memory.dmp

Filesize
520KB

Download
memory/2324-59-0x0000000000130000-0x00000000001B2000-memory.dmp

Filesize
520KB

Download
memory/2324-60-0x0000000000130000-0x00000000001B2000-memory.dmp

Filesize
520KB

Download
memory/2564-31-0x0000000002210000-0x000000000226C000-memory.dmp

Filesize
368KB

Download
memory/2564-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2616-35-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2616-55-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2616-41-0x0000000002010000-0x0000000002092000-memory.dmp

Filesize
520KB

Download