urelas | 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/12/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
Size

334KB
MD5

eb2d3d257b3049fc2300c2a67cb9033b
SHA1

92ddb111ebc3424ddb8d4a9a62d2b4d429d26bde
SHA256

8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999
SHA512

2cfdf39cdcfcbdb2bd6a909fe2d0228af9b0028b684053cbe1280df36914a557f22d05383ef4839b9845cb6940cffacae2aee830c9e393a006aadaaf2faecffe
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI2:vHW138/iXWlK885rKlGSekcj66ci0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2528	omfox.exe
1948	zusyw.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
2528	omfox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omfox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zusyw.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe
1948	zusyw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2528	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	30
PID 2280 wrote to memory of 2528	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	30
PID 2280 wrote to memory of 2528	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	30
PID 2280 wrote to memory of 2528	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	30
PID 2280 wrote to memory of 2228	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	31
PID 2280 wrote to memory of 2228	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	31
PID 2280 wrote to memory of 2228	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	31
PID 2280 wrote to memory of 2228	2280	8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe	31
PID 2528 wrote to memory of 1948	2528	omfox.exe	34
PID 2528 wrote to memory of 1948	2528	omfox.exe	34
PID 2528 wrote to memory of 1948	2528	omfox.exe	34
PID 2528 wrote to memory of 1948	2528	omfox.exe	34

C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
"C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\omfox.exe
  "C:\Users\Admin\AppData\Local\Temp\omfox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\zusyw.exe
    "C:\Users\Admin\AppData\Local\Temp\zusyw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
aea786f52d02e1baedf975956521428e

SHA1
c90aa68f34b0a178efa7e236ba1ea0f8acebcebb

SHA256
c3f8bd8b4e1f9d029294857059a46a58ea0770aaf56ffe80d2ac4aadd5fc11c0

SHA512
f10db91b5572b738e4ecf2c48a6cadf90817635563ab756b83732c4d9fcd958fc6198f3cde764ff4a25a7076799ead4dfe10c82468ced3a28cc6e3122b4f32fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9a28693880857f378c5fc8b4eeac6c98

SHA1
f007587a07a03541181ca64a99fd2ca673ab0d25

SHA256
780bc11394c3634fc9eb88253acf7e9af9495377eee6b3f2b7e94461647c88b3

SHA512
9b3085fde0ad1284d86ac57c343a392f2afe06d90a5ee093105c19042acfa60aab559e582b10622a326498db60abc70eaa6f4358ad45a86b939308f3eb8b3d9a

Download Submit
\Users\Admin\AppData\Local\Temp\omfox.exe

Filesize
334KB

MD5
64403b6f699ef0d027ad051bf28976b5

SHA1
d3e5ab1929c88be1565622b16ea92f881a4cc50c

SHA256
37c756520f85b8345e37850930439430368fc61ede8d935c96abe4c154c928bf

SHA512
45814238f75cf61ab0a13136ee12d35d2d81e6491aa388d30492b0918511e5ab09b2e74f9c6f6695a16cad0706a8e3e382c1417b72d33bb2331259e0dd22d3eb

Download Submit
\Users\Admin\AppData\Local\Temp\zusyw.exe

Filesize
172KB

MD5
24c5c4f1eeed7f39fdc6727dc0e8c06d

SHA1
40e30189dcd6c178df756b3c882471bc419bc392

SHA256
05443f984f2b6bfb584dc5ef8155127996c68a7524f8d52e80c5ac07c2574b2a

SHA512
8e44685befb0a7ef6b7087e96659b149728f8c52a833ee0111ce126ad9bca866f2fad28780a0dad14b63170499ea2cfcb6e131accd3fbfd6f5d376d3ca028e3f

Download Submit
memory/1948-49-0x00000000010C0000-0x0000000001159000-memory.dmp

Filesize
612KB

Download
memory/1948-46-0x00000000010C0000-0x0000000001159000-memory.dmp

Filesize
612KB

Download
memory/1948-47-0x00000000010C0000-0x0000000001159000-memory.dmp

Filesize
612KB

Download
memory/1948-50-0x00000000010C0000-0x0000000001159000-memory.dmp

Filesize
612KB

Download
memory/1948-42-0x00000000010C0000-0x0000000001159000-memory.dmp

Filesize
612KB

Download
memory/1948-48-0x00000000010C0000-0x0000000001159000-memory.dmp

Filesize
612KB

Download
memory/1948-41-0x00000000010C0000-0x0000000001159000-memory.dmp

Filesize
612KB

Download
memory/2280-6-0x00000000029C0000-0x0000000002A41000-memory.dmp

Filesize
516KB

Download
memory/2280-0-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2280-20-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2280-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2528-23-0x0000000000D00000-0x0000000000D81000-memory.dmp

Filesize
516KB

Download
memory/2528-38-0x0000000002440000-0x00000000024D9000-memory.dmp

Filesize
612KB

Download
memory/2528-39-0x0000000000D00000-0x0000000000D81000-memory.dmp

Filesize
516KB

Download
memory/2528-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download