urelas | 187309a5c2f9168be920d8fc8a7b4571e602b353ed2e3f452b6d44eb5faa623c

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1356e57384c45056adf364518af0aa07.exe
Size

1.1MB
MD5

1356e57384c45056adf364518af0aa07
SHA1

b48c3d22c8648ab88ba7cb5ac6dc64b3025b325d
SHA256

187309a5c2f9168be920d8fc8a7b4571e602b353ed2e3f452b6d44eb5faa623c
SHA512

4bfc6199ffb9febb653be528a8d550cf3ef3907dfcb312c85e7caa649a64b731b7c1ffb131c4cae5e7a74fe62b10aa401c487a3870e2261dd637b67acad34bd0
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Yb:tcykpY5852j6aJGl5cqBk

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2876	paucu.exe
2600	ilneru.exe
2000	ekpiu.exe

Loads dropped DLL 5 IoCs

pid	Process
1220	1356e57384c45056adf364518af0aa07.exe
1220	1356e57384c45056adf364518af0aa07.exe
2876	paucu.exe
2876	paucu.exe
2600	ilneru.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0002000000010f1d-40.dat	upx
behavioral1/memory/2000-54-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2600-44-0x0000000003B60000-0x0000000003CF9000-memory.dmp	upx
behavioral1/memory/2000-59-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe
2000	ekpiu.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2876	1220	1356e57384c45056adf364518af0aa07.exe	31
PID 1220 wrote to memory of 2876	1220	1356e57384c45056adf364518af0aa07.exe	31
PID 1220 wrote to memory of 2876	1220	1356e57384c45056adf364518af0aa07.exe	31
PID 1220 wrote to memory of 2876	1220	1356e57384c45056adf364518af0aa07.exe	31
PID 1220 wrote to memory of 2840	1220	1356e57384c45056adf364518af0aa07.exe	30
PID 1220 wrote to memory of 2840	1220	1356e57384c45056adf364518af0aa07.exe	30
PID 1220 wrote to memory of 2840	1220	1356e57384c45056adf364518af0aa07.exe	30
PID 1220 wrote to memory of 2840	1220	1356e57384c45056adf364518af0aa07.exe	30
PID 2876 wrote to memory of 2600	2876	paucu.exe	29
PID 2876 wrote to memory of 2600	2876	paucu.exe	29
PID 2876 wrote to memory of 2600	2876	paucu.exe	29
PID 2876 wrote to memory of 2600	2876	paucu.exe	29
PID 2600 wrote to memory of 2000	2600	ilneru.exe	34
PID 2600 wrote to memory of 2000	2600	ilneru.exe	34
PID 2600 wrote to memory of 2000	2600	ilneru.exe	34
PID 2600 wrote to memory of 2000	2600	ilneru.exe	34
PID 2600 wrote to memory of 268	2600	ilneru.exe	35
PID 2600 wrote to memory of 268	2600	ilneru.exe	35
PID 2600 wrote to memory of 268	2600	ilneru.exe	35
PID 2600 wrote to memory of 268	2600	ilneru.exe	35

C:\Users\Admin\AppData\Local\Temp\1356e57384c45056adf364518af0aa07.exe
"C:\Users\Admin\AppData\Local\Temp\1356e57384c45056adf364518af0aa07.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\paucu.exe
  "C:\Users\Admin\AppData\Local\Temp\paucu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876

C:\Users\Admin\AppData\Local\Temp\ilneru.exe
"C:\Users\Admin\AppData\Local\Temp\ilneru.exe" OK
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\ekpiu.exe
  "C:\Users\Admin\AppData\Local\Temp\ekpiu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
eb79fcd56124ea72d9d372cca8766cc5

SHA1
6d42dbacf2eb7786e02cdd5f3bf45cb5eea8f8bc

SHA256
0158a4c235772648bc1b94e2d83a663e334ad1e460f2b1ce97b263e5a2e05830

SHA512
6607b5b72b293e998aa95494a2ee382d0e78d9f8de6f856732e14791ce9fa26d28d20f4eced7d942f08584967cf319ab3084f734d5432046ea9db9ad1200fe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
1d83bb8c09b60b7a8a04b5a4e522e18b

SHA1
e6136c4ba0fe7a13b7c2610b380afbef8c4cb069

SHA256
99c493bf8334783f0e8d22ea190c34dc7cd4eb77bc175898c358ad2db8ac1c5a

SHA512
884accd76bbc0a539c97b8db01c9ad438152dde0c68178bd84953e75a5a11ab91d7d73cdbcd0022f5c5fc9040f814084d7ae10014ba12b3de542ad54b2884537

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6fe7b52a02b97cd5af6b01adc0ba9fac

SHA1
845044ffade9bca4123a8ed18a46f7670cca852b

SHA256
0af9f42f548e1a1ce02ce34dc367f708c8e205277bd828332190ad68a2ef1c80

SHA512
2f29b21025d5c962f05ee7448af856e0d172ed4ba3950a224d930a7eba4ae1ae4000834099f5b0eb78be244a65363eb74d963dd15a2f94e5867dc438058daffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilneru.exe

Filesize
107KB

MD5
ed2e9af54a8504c1f06a12891b13e636

SHA1
6138c190699123c1cb439029bf2678358d2a5832

SHA256
9036257aba074828d5c795ff489d0085270d76f5502d5c6027a68d570df0f3bb

SHA512
280e804ad03a95adf9efde16c57699e0b12543b71a69ee6a25cb5d295d98cd07f60a31d45fbb9acc137c0aca65cd814afd3409593d08f0bb8382a139c5cb7141

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilneru.exe

Filesize
68KB

MD5
b2bfd993158b73f759face2063780872

SHA1
90b5effb949104a54020bc2864327cf4bf5c5da8

SHA256
080b4411dfbb31b874d4f390ee25c7c26faa3b8715d1deec57199e8fd4a42733

SHA512
8787ad497f2e7a87635fecb1ee43fa26fc4bc9c354c539d591140de5a5d746a99bf2896343506fd6165c7c9b424e4dff6ad4ef4eaa0a6fe1c0cedd4998925797

Download Submit
C:\Users\Admin\AppData\Local\Temp\paucu.exe

Filesize
177KB

MD5
afa9d2863a95de19b4ff0298bcbc64f2

SHA1
9c97445e9f69491e5162c39c8a05443aeee2082a

SHA256
db555cb8060b4283647435a3427ce4c661f628e7095d43694583cabd461025ea

SHA512
bf7425e0425f0a07c72f01aafcf37b9837194bf7fe1511af96e42381b69634a9e8f6651f5216c56cc7eb90b4a7527bdca1ad87712de04e5572d1e92bc522d923

Download Submit
C:\Users\Admin\AppData\Local\Temp\paucu.exe

Filesize
19KB

MD5
019f5b50564455e0137f1daa52db5d52

SHA1
6c5d757f8895ecc9636469751ead64c0b47e410c

SHA256
26c517fa0f98406bd354471ec84732b01160c3decf4714f908af956b28da0db4

SHA512
be409798fda88981be125dee400d86457e36ae5cf8dc5ae4dfc1f411ad3449a979769108de3a9b912405c436e214bfe2325743df26d5762911ea11374351ab7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\paucu.exe

Filesize
71KB

MD5
86046b96d5f6894311a512f80c058d6c

SHA1
c07d2f2cfd637e7edcc5015156d184b84d93b689

SHA256
239f770a6833eeae81ebba7cde5ad53e1b5a867d6030ce0ff89bb9c1bbab96c7

SHA512
bf10df562069ca1faa426387ef8763ca26c4d26cfe297e2d5bd88d55d4bbc5222ae836302e2bf7bbd904baddad95f59ae8d5d116981a06cde4be8eb3b8da7afb

Download Submit
\Users\Admin\AppData\Local\Temp\ekpiu.exe

Filesize
459KB

MD5
057d2ce3510cbd644806340b10165f70

SHA1
52270c522b0fdf62b5086f29411c1f9341b183b8

SHA256
3718710af1719c59be6683e4c26d954553f070cecb374f553391aafb773f03e7

SHA512
4b60233657e1dbad70cbcc43371434bcc251432182715ba7693f5dc56f0cc687421005d431ba0f740e629acf4d366dd31ec7643859d4bc7c75d74dce70e75167

Download Submit
\Users\Admin\AppData\Local\Temp\ilneru.exe

Filesize
164KB

MD5
2264f597b6a1bbfae9f6287f8918fcef

SHA1
e2f8185c26db84d221467bcf58944e9b47e57858

SHA256
71ace0a22967a1ec6820909bd8a4919c7a4f11da3e87e4129793a007c845012e

SHA512
4bbffd20751b139b3c8718d258104eb4b661d133cb71ad3b24c3d11835248cd9a9824134b4ca06531312c039cf9c93d8d6ed7246afa321d9cdff34a144258bd6

Download Submit
\Users\Admin\AppData\Local\Temp\ilneru.exe

Filesize
146KB

MD5
cde7bd9d8531b3f3e815ff764705668e

SHA1
3e2b8bd06270e749f60560261d392dd2e0e296dc

SHA256
78243c03939983e8b29ff74cf2aa517886453aaab8f9636f0862809b360b621d

SHA512
0f14834abdbcfc96d8068511fb47610881aac5070e5a684aadfb3d5329f2c11b6383277021a51d949f9c5e6b001e5636d018fa23d6ce3d91882e5f25393d19f4

Download Submit
\Users\Admin\AppData\Local\Temp\paucu.exe

Filesize
289KB

MD5
fffb8eefba1f0b6c0437925e84b24044

SHA1
4206af482c515c96abcb22ed4a06b27e4965664b

SHA256
7c87087ad92717d2a044761fa84d4eabea3b9179085fa9dfaebf057cf60ee380

SHA512
786274b91f43aa8f38faa9f1b53c588a4df5e4556fb7c6215c615bf7415922046830d22963594aa048519e7fb9b21a809464decc93cc1ec3fb7251d81eb624b1

Download Submit
\Users\Admin\AppData\Local\Temp\paucu.exe

Filesize
129KB

MD5
cce4936f02cacf2a9616c4f766e8b757

SHA1
ecd45a1da054625e0423cdac5914bacf2276f167

SHA256
da99ac0b5cfeace8444897674f5b038cd6d44767c0f77dc01408cc86120133f4

SHA512
03c6acba994d00c4bdb61dfc098ffd010d821dd3eb36732225812486b248bea0681d59f8a037ed2ef282a12ffb5fa3ce086328d445dfeb0f5411045b7b967ef6

Download Submit
memory/1220-22-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1220-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1220-11-0x00000000029C0000-0x0000000002AE4000-memory.dmp

Filesize
1.1MB

Download
memory/2000-54-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2000-57-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2000-59-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2000-61-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2600-53-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2600-36-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2600-44-0x0000000003B60000-0x0000000003CF9000-memory.dmp

Filesize
1.6MB

Download
memory/2876-33-0x0000000003000000-0x0000000003124000-memory.dmp

Filesize
1.1MB

Download
memory/2876-34-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2876-21-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download