urelas | 957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe
Size

372KB
MD5

f88e3c2b9e494ecaa70491c02328a120
SHA1

0d0669412139d14c1a584e708f8b220c577d41d5
SHA256

957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929
SHA512

96690e219ec645c0b2fdca83b7b3086edc936bc0de4416f1a566e16d6450a84559a94a07bdd50be7ac8b5749787321f6ab3b3e0244744e3554d35a4ca2a3b2f5
SSDEEP

6144:LlwArTEDSCs5wL0q/mdwoJgugiIX9Ghal1qU/YagPOl6xVrprI3z:LKmQDSCs5woMmd9axVNG4qugPO+V6

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/memory/332-0-0x0000000000400000-0x000000000045E000-memory.dmp	UPX
behavioral1/files/0x000b000000015ca5-7.dat	UPX
behavioral1/memory/332-18-0x0000000000400000-0x000000000045E000-memory.dmp	UPX
behavioral1/memory/2344-16-0x0000000000400000-0x000000000045E000-memory.dmp	UPX
behavioral1/files/0x000b000000015ca5-4.dat	UPX
behavioral1/memory/2344-21-0x0000000000400000-0x000000000045E000-memory.dmp	UPX
behavioral1/memory/2344-28-0x0000000000400000-0x000000000045E000-memory.dmp	UPX
behavioral1/files/0x000b000000015ca5-30.dat	UPX

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	ugrum.exe
2332	udpot.exe

Loads dropped DLL 2 IoCs

pid	Process
332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe
2344	ugrum.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/332-0-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/files/0x000b000000015ca5-7.dat	upx
behavioral1/memory/332-18-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/2344-16-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/files/0x000b000000015ca5-4.dat	upx
behavioral1/memory/2344-21-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/2344-28-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/files/0x000b000000015ca5-30.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe
2332	udpot.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 2344	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	28
PID 332 wrote to memory of 2344	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	28
PID 332 wrote to memory of 2344	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	28
PID 332 wrote to memory of 2344	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	28
PID 332 wrote to memory of 2580	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	29
PID 332 wrote to memory of 2580	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	29
PID 332 wrote to memory of 2580	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	29
PID 332 wrote to memory of 2580	332	957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe	29
PID 2344 wrote to memory of 2332	2344	ugrum.exe	33
PID 2344 wrote to memory of 2332	2344	ugrum.exe	33
PID 2344 wrote to memory of 2332	2344	ugrum.exe	33
PID 2344 wrote to memory of 2332	2344	ugrum.exe	33

C:\Users\Admin\AppData\Local\Temp\957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe
"C:\Users\Admin\AppData\Local\Temp\957551454d03936a503af1b711a15e0a6e25a27d636a08577bcddbaa8803f929.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\ugrum.exe
  "C:\Users\Admin\AppData\Local\Temp\ugrum.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\udpot.exe
    "C:\Users\Admin\AppData\Local\Temp\udpot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6207f0f2d74a2ca1a0b519b0d87d3f52

SHA1
3be9cdd5e7eb087836407ceb6f6da341a7839e8d

SHA256
1547db12ff4f4b50d584ba06e4ea0fe8d9246c0e5303917950aa5ad8ec0f13d7

SHA512
32e85f2f3d17d33d7d84e2cc392bce6e0fbdcb5ac4339c9f1e4897df32356e679b24d5ee46fd727044936ae0f4f234378963e9c2f36e0a223effdb6ffb0137e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d165c292303f9e95e8e23bc4607b8efb

SHA1
e7bec66a9600671154e3856f44a4ae0d058503c2

SHA256
ecbbaf56bd45f8577275f005ec6b696800ceb7732e7a28e3985a1bb5b1b49c06

SHA512
87c46ba91e3f37d5c429e87ff91669dbed58ce7983fe6ca488f472260cdacb2ff605c5636d4afdb1fed60a273b425b3262980bf4b9c8177f338617980bd0ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugrum.exe

Filesize
372KB

MD5
c6031465fe7d38fd240394dd06ed4db7

SHA1
01010ff4d1abe53f50f450de878f843d431ef4dc

SHA256
39c62c369a15c5e398934dee2cad9e1dc910b2543f9760f2fb4bb0fcc9ac9b34

SHA512
0a9749bfcd0d7528a81a61b605500003232cc21875a0f2de9a3f1cb589ae1a32f7946601dea4478a7d67f10a9683d84cea63e8c62a0b12c79c60768819501b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugrum.exe

Filesize
84KB

MD5
668afd3a24452acef24ea9e3cc84273a

SHA1
4c78e74a28b7541f3230a2c53e2b124e8b009123

SHA256
a5f1267666a80bb6f924cf83c34652cbbdd117b6b2ac74dfd87dcb0e79497ef2

SHA512
2d0d6676cd10f2ae3cd14d33d44749842a4599e618158b9e6773063eb1bf9de2040d89e95bb736a4ecf7698ce89bcc27b64f22fdc43acd9019337b818be212ba

Download Submit
\Users\Admin\AppData\Local\Temp\udpot.exe

Filesize
161KB

MD5
7d0144ba637a78c2dcb15f1d6dfd6537

SHA1
0c27e438b6f5dcd5ce3c58bc1f970d85edeca571

SHA256
bafdd5447c7f70f0b1832bac88c02d6a8dbdf1ca5e2afa01d7e5d311e0356e01

SHA512
f7121c4505e1258bf12ab33f22f7ca0ad92fe1ad89d22852fe9a885a4ca82cabdd32265a707bc5609a766a01db3a6d9a7c269d5d499dd1b9984ffcaca76949dd

Download Submit
\Users\Admin\AppData\Local\Temp\ugrum.exe

Filesize
57KB

MD5
b60dae011691733998061fc579e4dd01

SHA1
8e92e1e6181bc9c27a61bce3e1e51cf4d478ff64

SHA256
65fcec777a9f53bf03150672c88e6053e9ceb084d95355545bae982f998c25e4

SHA512
653a8121b3ba076a4cd08c68651230568011302b08efc6e55ef9f0579bee8f234012890eeb1178fffe51210a1cddcd0e3bd8783446756f4596baf2b0ce626269

Download Submit
memory/332-10-0x00000000007B0000-0x000000000080E000-memory.dmp

Filesize
376KB

Download
memory/332-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/332-18-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2332-33-0x0000000000FF0000-0x0000000001081000-memory.dmp

Filesize
580KB

Download
memory/2332-35-0x0000000000FF0000-0x0000000001081000-memory.dmp

Filesize
580KB

Download
memory/2332-34-0x0000000000FF0000-0x0000000001081000-memory.dmp

Filesize
580KB

Download
memory/2332-29-0x0000000000FF0000-0x0000000001081000-memory.dmp

Filesize
580KB

Download
memory/2332-31-0x0000000000FF0000-0x0000000001081000-memory.dmp

Filesize
580KB

Download
memory/2332-32-0x0000000000FF0000-0x0000000001081000-memory.dmp

Filesize
580KB

Download
memory/2344-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2344-28-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2344-21-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download