urelas | 0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
Size

593KB
MD5

9474fecc38dce4cd41032608f2ceb528
SHA1

8f5ab9143beadf50ac100f9acc972b255f668055
SHA256

0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3
SHA512

db95e17a11b74ee77a8ab15118a39ed677e84d8456c0b2a051592a6428a543ef611abed3c48c975c222332f53b86338080c95b8cec0eca1746cd576dadfdefa6
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRF:C4jm0Sat7Az/gZvTIq2WKkw0FT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1344	diwyr.exe
2356	uhzyl.exe

Loads dropped DLL 3 IoCs

pid	Process
2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
1344	diwyr.exe
1344	diwyr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diwyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhzyl.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe
2356	uhzyl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1344	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2244 wrote to memory of 1344	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2244 wrote to memory of 1344	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2244 wrote to memory of 1344	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2244 wrote to memory of 2012	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 2244 wrote to memory of 2012	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 2244 wrote to memory of 2012	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 2244 wrote to memory of 2012	2244	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 1344 wrote to memory of 2356	1344	diwyr.exe	35
PID 1344 wrote to memory of 2356	1344	diwyr.exe	35
PID 1344 wrote to memory of 2356	1344	diwyr.exe	35
PID 1344 wrote to memory of 2356	1344	diwyr.exe	35

C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
"C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\diwyr.exe
  "C:\Users\Admin\AppData\Local\Temp\diwyr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\uhzyl.exe
    "C:\Users\Admin\AppData\Local\Temp\uhzyl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b8238cf0c1a9e2cb268143e19df5b714

SHA1
e71395251a8f69a5ce312aa47b2cd4d73576e16f

SHA256
830d361f3d638a7a707d4c3ffdb37cae095102707b4d043f5220a5acae15ba4d

SHA512
d76d26dbf1a107f26adde7f12b8b0a818427ae8fb4bd72f5a9113d3bbb4c26745784dfb8a0a4704f9ff417ea33630d6ae08c88b272a538975baf1147e6132cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\diwyr.exe

Filesize
593KB

MD5
4ff902f0a37d5a21ae36d9c86db8cf9c

SHA1
8bc5683997fdf4efd167381216d415db81215aef

SHA256
d98bceb80ec3ed20cbc5bfd31a1f391a701771233064ba09cd4597c830e66bac

SHA512
d3cbc5ab7a703bc799f74c460ff8f0d6d55556122d8655171ae6a6fc249f6c50462776b8872611fb89e81505264b293fd57e1923daac67329b19fe68bc726486

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5a890b4a596746db9f77009175e849b4

SHA1
a6b58f2f6d8c4bb0f99b0b2913f61fa6bfc76f50

SHA256
3cca24109917c3195aa8a9fb797eee305879b4745346d57f85a5c7b404443701

SHA512
940d58443c87cdbc80dc7044e5153f1b1b00074904cdefafd656ddb78032ff8d0bf2f5b5b9dd5fb940b15e3ca3ac671bc4c48d526f7213428558c0e705444050

Download Submit
\Users\Admin\AppData\Local\Temp\diwyr.exe

Filesize
593KB

MD5
e38e87a08823957f69e37153b81ee4db

SHA1
474a5e3779c069660146cb057a3690e3ea7d44af

SHA256
c34c86473d98358ac75f82488c6b4f569b95176f665d423eb396c36177aaa17d

SHA512
fc41091cda7b021e9cc77731523813ced89464d27b85a3d519d35aaf717b2700e2ca034bc5a2784425c609449fe045599920c7503e8ade953d4f3436c4176451

Download Submit
\Users\Admin\AppData\Local\Temp\uhzyl.exe

Filesize
323KB

MD5
c6d19bef2c655e2d1ecde56d5b852313

SHA1
27d040caa5cce885cfe6771babf778b014d93758

SHA256
5c57ce2d3316a63d61d27d13f3cddeb962cbdbfab577739435c3322a38930a29

SHA512
e044406e1d1687c68e8b0cba37e7a9dbbafb8c8da4d6dd34c7f1dc45976de28c8f052237beb0aeeebb1b626f0987b730f2d2fa3df04289f860f938d9f5bfec20

Download Submit
memory/2244-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2356-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2356-29-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2356-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2356-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2356-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2356-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2356-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download