urelas | c6dc254df0bce3dc3940aa70853bb5f30efc0a4574ef26eb214997c1391bee27

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 05:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

373f25e7da45d48019c326e58ae35696.exe
Size

385KB
MD5

373f25e7da45d48019c326e58ae35696
SHA1

79a09dd556aeff172e35f414c0870b666e4dd1f2
SHA256

c6dc254df0bce3dc3940aa70853bb5f30efc0a4574ef26eb214997c1391bee27
SHA512

073ac403c092da2998afd9d10246219e8038062a06cf9066a4f764c75a14ae48ae0eb179bbeeeb70d86f8ea4f5affb0cda1849eefaa6292b4d959b79c8dad8e8
SSDEEP

6144:tfKUuk3Zz7INHrUP0Q9G9G8rMd1CX4/D1qPDmftZvVhlvDGjaELfDMzPS94dm:NBJzsNfIG0IMHCX4b1qLmvvXlrKVfjMm

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	juxyk.exe
1924	ubetc.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	373f25e7da45d48019c326e58ae35696.exe
2156	juxyk.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-17-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2156-9-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/files/0x0030000000015d8c-7.dat	upx
behavioral1/memory/1736-0-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2156-20-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2156-34-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe
1924	ubetc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2156	1736	373f25e7da45d48019c326e58ae35696.exe	28
PID 1736 wrote to memory of 2156	1736	373f25e7da45d48019c326e58ae35696.exe	28
PID 1736 wrote to memory of 2156	1736	373f25e7da45d48019c326e58ae35696.exe	28
PID 1736 wrote to memory of 2156	1736	373f25e7da45d48019c326e58ae35696.exe	28
PID 1736 wrote to memory of 2632	1736	373f25e7da45d48019c326e58ae35696.exe	29
PID 1736 wrote to memory of 2632	1736	373f25e7da45d48019c326e58ae35696.exe	29
PID 1736 wrote to memory of 2632	1736	373f25e7da45d48019c326e58ae35696.exe	29
PID 1736 wrote to memory of 2632	1736	373f25e7da45d48019c326e58ae35696.exe	29
PID 2156 wrote to memory of 1924	2156	juxyk.exe	33
PID 2156 wrote to memory of 1924	2156	juxyk.exe	33
PID 2156 wrote to memory of 1924	2156	juxyk.exe	33
PID 2156 wrote to memory of 1924	2156	juxyk.exe	33

C:\Users\Admin\AppData\Local\Temp\373f25e7da45d48019c326e58ae35696.exe
"C:\Users\Admin\AppData\Local\Temp\373f25e7da45d48019c326e58ae35696.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\juxyk.exe
  "C:\Users\Admin\AppData\Local\Temp\juxyk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\ubetc.exe
    "C:\Users\Admin\AppData\Local\Temp\ubetc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
8bc4ea720a72d6065aa08b80a25d539a

SHA1
359ed8701784947524534e95da0fa8d934189758

SHA256
4089af7622c5de448076af0929b80227b2f5420b0549235c5a5832fb6ddc563c

SHA512
4bbc4e7c7e38e1d8e34906e32e893b217c5b7671c760f2b9386cb033581e333f462921573996f7f5e38b4e3b1c6d3beedce9fe711ee23d56d48e2729cf2b72cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a7b699a2d9fb9bdcfb8c653c76be3a60

SHA1
39414992f6bbb351753acb6f1283809f92cdaf99

SHA256
92897b82bd35826e697feec367b574aed037d7cf7ea10d521f890f364da43672

SHA512
06466d1f43fc93ab9a2d126b0b86a5a3da16bd4bb60b87fcda13ff780aa86a32e40dbd9cf04538d57023f08ae29dbdb499045272f7d83f8d71529da73fb5403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\juxyk.exe

Filesize
386KB

MD5
41763d00bbb55f003718dd1e95d54fa7

SHA1
fbb15bf9a4d590b31f9cb0a565a3eb419e142369

SHA256
710f2e03ef88bb9a895a05e18264251ea607519c207c5d0e0cd2a37eb239814a

SHA512
ff1a99ce6616d4710d6910c1b740def4b2e12b0455066a589e0d2cc91d84b2d4c9dc3f95c8e833d3f9087beb248eb6c4e316e242c3c91b334db6e4d15dbb44d4

Download Submit
\Users\Admin\AppData\Local\Temp\ubetc.exe

Filesize
241KB

MD5
5f5dd1fd6f1ee72634543eb491b1cc88

SHA1
f585399641ffaf42f5272d0e30ae063dd61102c0

SHA256
b827a1ee48d1bb711fbc37d3a5c4dc018b900c6e6b9edd277429ee507326acda

SHA512
11058af87180736c74a58423c8ac1a2120f5b59ded3489b18181acea87f0215a274a7cefcea6b609f2c2f7370967b94d52ff5de504aedb2fb3bd57e0fe4a82fe

Download Submit
memory/1736-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1924-40-0x00000000000D0000-0x0000000000186000-memory.dmp

Filesize
728KB

Download
memory/1924-37-0x00000000000D0000-0x0000000000186000-memory.dmp

Filesize
728KB

Download
memory/1924-38-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1924-41-0x00000000000D0000-0x0000000000186000-memory.dmp

Filesize
728KB

Download
memory/1924-42-0x00000000000D0000-0x0000000000186000-memory.dmp

Filesize
728KB

Download
memory/1924-43-0x00000000000D0000-0x0000000000186000-memory.dmp

Filesize
728KB

Download
memory/1924-44-0x00000000000D0000-0x0000000000186000-memory.dmp

Filesize
728KB

Download
memory/2156-20-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2156-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2156-35-0x0000000003760000-0x0000000003816000-memory.dmp

Filesize
728KB

Download
memory/2156-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download