urelas | ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
Size

336KB
MD5

af16791ad664dbfb2e700be33ef6833e
SHA1

200af680d9afd7478405ce73100275eb26dc451b
SHA256

ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb
SHA512

03b59cbff8889d256946b36507d8c460cc74536e76a52ed76c39bdb2b4c7f32d22ce2c33870a521cad376c759a85d6d4b4b08406916b7d566cfd0b3dd2b7c40e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrc:vHW138/iXWlK885rKlGSekcj66ci6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2244	oclib.exe
2856	reihz.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
2244	oclib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oclib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reihz.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe
2856	reihz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2244	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2012 wrote to memory of 2244	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2012 wrote to memory of 2244	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2012 wrote to memory of 2244	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2012 wrote to memory of 2884	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2012 wrote to memory of 2884	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2012 wrote to memory of 2884	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2012 wrote to memory of 2884	2012	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2244 wrote to memory of 2856	2244	oclib.exe	34
PID 2244 wrote to memory of 2856	2244	oclib.exe	34
PID 2244 wrote to memory of 2856	2244	oclib.exe	34
PID 2244 wrote to memory of 2856	2244	oclib.exe	34

C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
"C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\oclib.exe
  "C:\Users\Admin\AppData\Local\Temp\oclib.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\reihz.exe
    "C:\Users\Admin\AppData\Local\Temp\reihz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b4e79e0f794ffabf6e410d4b9d8ab9e2

SHA1
6f8bf0c97b7d39bd1603de5d4132db36ce0b402f

SHA256
4bf337a3b57c15ad8b0975636630e8db677a9c8301a5566dab44a584b1205be2

SHA512
9b955287ecf2d8f385d1235357fada05901cbd75572556d9efc4eb12073d3b7f34f190e53c3c8668db98cb5357f65c4fa2531cad26eaa85bf25011559570ec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
93b904c1db30c8122ee3d62c7277c1e8

SHA1
39f4ee927be38e202a2fbc201e078186d9e537d8

SHA256
f48dd572da0468aea667c2bcc60c393e89e81984a61cea8fa95bacb40637ce51

SHA512
eb230833de699149232b8b60c44ffc62927cd7a159bbf11bc345a0a79f73c409386b8f353ba40e6ea9a5a8a7f57ba8d4f0620625f4b72a1a5c6c371188945a49

Download Submit
\Users\Admin\AppData\Local\Temp\oclib.exe

Filesize
336KB

MD5
1148e71bf4661176df697e7cc9b742e3

SHA1
7e53f3418da6444a34179346fbb477141ae74c6c

SHA256
eae4256ada5c9aed66f66768fe30e277d79725055e2ccf4e2416d0d686b9ed62

SHA512
140155be37acea340194eafc6067c711fb5c1885e1afe1607aaf3522be5f65a74ecfdaf5dab8ea120b8d88351473ce82ac1731260a073efd4263f889d9f69bc4

Download Submit
\Users\Admin\AppData\Local\Temp\reihz.exe

Filesize
172KB

MD5
7de523eda3dee08218fa71b6de1b5f73

SHA1
e8828f695b01fea91b8bb4fe809eeeebfee46191

SHA256
e60b5c3f629acea0d4656ed7037afbe62addb84f653891909193632f7858c9e9

SHA512
d9f6ecfbe4d9df8106caf4853e11a310e19310fe7a19c584dcbd24d5a64e7ad04fe08f27c51f2c196e53c997f4c4f61a9f45e8fcc5a5d2ce1086247d9de54fda

Download Submit
memory/2012-0-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/2012-9-0x0000000002140000-0x00000000021C1000-memory.dmp

Filesize
516KB

Download
memory/2012-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2012-21-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/2244-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2244-24-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/2244-17-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/2244-40-0x0000000001320000-0x00000000013A1000-memory.dmp

Filesize
516KB

Download
memory/2244-38-0x0000000000F40000-0x0000000000FD9000-memory.dmp

Filesize
612KB

Download
memory/2856-42-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2856-46-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2856-47-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2856-48-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2856-49-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2856-50-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download