urelas | 9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
Size

6.5MB
MD5

99376ee4ed70611e27327a144ce46553
SHA1

49bdca60f10a3b2957824c16b0bc862224fb0d59
SHA256

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db
SHA512

bcaa3490a23d7614aa888c6cd344d3f0a5c7a3ababdcc26646a6475ee3696c8d02a6930c9007cc2c149fff9881151dc0f81141626c511935aa64941a54954320
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSW:i0LrA2kHKQHNk3og9unipQyOaOW

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\azhur.exe	UPX
behavioral1/memory/676-161-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/676-174-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2964 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

nuazd.exefyyqwi.exeazhur.exe

pid process

2692 nuazd.exe
2628 fyyqwi.exe
676 azhur.exe

pid	process
2964	cmd.exe

pid	process
2692	nuazd.exe
2628	fyyqwi.exe
676	azhur.exe

Loads dropped DLL 5 IoCs

Processes:

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exenuazd.exefyyqwi.exe

pid	process
1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
2692	nuazd.exe
2692	nuazd.exe
2628	fyyqwi.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\azhur.exe	upx
behavioral1/memory/676-161-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2628-159-0x0000000004860000-0x00000000049F9000-memory.dmp	upx
behavioral1/memory/676-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exenuazd.exefyyqwi.exeazhur.exe

pid	process
1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
2692	nuazd.exe
2628	fyyqwi.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe
676	azhur.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exenuazd.exefyyqwi.exe

description	pid	process	target process
PID 1740 wrote to memory of 2692	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	nuazd.exe
PID 1740 wrote to memory of 2692	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	nuazd.exe
PID 1740 wrote to memory of 2692	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	nuazd.exe
PID 1740 wrote to memory of 2692	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	nuazd.exe
PID 1740 wrote to memory of 2964	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	cmd.exe
PID 1740 wrote to memory of 2964	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	cmd.exe
PID 1740 wrote to memory of 2964	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	cmd.exe
PID 1740 wrote to memory of 2964	1740	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	cmd.exe
PID 2692 wrote to memory of 2628	2692	nuazd.exe	fyyqwi.exe
PID 2692 wrote to memory of 2628	2692	nuazd.exe	fyyqwi.exe
PID 2692 wrote to memory of 2628	2692	nuazd.exe	fyyqwi.exe
PID 2692 wrote to memory of 2628	2692	nuazd.exe	fyyqwi.exe
PID 2628 wrote to memory of 676	2628	fyyqwi.exe	azhur.exe
PID 2628 wrote to memory of 676	2628	fyyqwi.exe	azhur.exe
PID 2628 wrote to memory of 676	2628	fyyqwi.exe	azhur.exe
PID 2628 wrote to memory of 676	2628	fyyqwi.exe	azhur.exe
PID 2628 wrote to memory of 1268	2628	fyyqwi.exe	cmd.exe
PID 2628 wrote to memory of 1268	2628	fyyqwi.exe	cmd.exe
PID 2628 wrote to memory of 1268	2628	fyyqwi.exe	cmd.exe
PID 2628 wrote to memory of 1268	2628	fyyqwi.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
"C:\Users\Admin\AppData\Local\Temp\9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\nuazd.exe
"C:\Users\Admin\AppData\Local\Temp\nuazd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\fyyqwi.exe
"C:\Users\Admin\AppData\Local\Temp\fyyqwi.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\azhur.exe
"C:\Users\Admin\AppData\Local\Temp\azhur.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
994a5ec7e19de459ba156d24f14a6fe7

SHA1
5d30972269a7468f80267f13c6cafa156a5d0a56

SHA256
32ffc0db52cc85930d31f5c997bac3c75c4349485bbf769f90a08e2de91806b8

SHA512
ea24550e7787cc220fa9c13625bd40a4da03da671ab4f63677a5bc24055e5fe441c006fad716363f392c47b02d8e42674db8092d7db917a80846eb215023efe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
57be345a625defe2e1006c9ae463aa94

SHA1
954935a2d0c7021d2387c44f5039ef1029a53f8b

SHA256
2de5aef3565fe1ebad3b17140d8d2edfe13127c137060a75ffd05b0a04cedcf9

SHA512
e7b70145882d58d6ec70603d91d1b72e0eda6bd686d32c1df07d9e9e8ce7308dbe8cd07286ed518e7b02de6bbb894182846708597c0d07bc8e081da4d45207eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5ce1d636f460f0af4fc58b5ed6237c31

SHA1
606277a3b5bf108246d9cbf0c1e27b528031a269

SHA256
1c86c32faead224200d426dacb35b86eda0c3ee9550ccf99e4dce1f53ce202e2

SHA512
495e87582656c38103e8b0d0b7c42720b6c2b80274298c72b82bbb289bdb5b8497f5ec2e9f46d44d998013b5ef4ead3bfaddac179d5f26bde167f24e5896ae67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuazd.exe

Filesize
6.5MB

MD5
7677cacb3fbb5d96d1cdc7c3963f9134

SHA1
2c99bd473f17960f93dace50128f33327b7f4e4e

SHA256
e93f6eb39e16a28d2440ccd6d2c60693408e9ec069cbb6991eb46b5b9c3ed3b2

SHA512
069817b1b5077ecbeeec4201f861b5cacc57b4204bb8802c3e916a3313c5f1bfc1daa3d16d8e70e4b3a260b08612a310d82e5d4b0dd0ec98d1843a7ad5d4db78

Download Submit
\Users\Admin\AppData\Local\Temp\azhur.exe

Filesize
459KB

MD5
7e3c7cd80a77c26a3fa4bf12f02854c8

SHA1
10f42921491b0928964259a1f11e82f79f99d438

SHA256
a927483cc62eabf304766f064758ab98225ba3872ca03d70e1302518589c2d55

SHA512
1d93fe0721590f0187c009122323775672ac66dff6bb2e8620be27f28e9db6af053eb4b716a90d493340b47b650df287a254955bf91925034baca0b433b5af91

Download Submit
memory/676-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/676-161-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1740-59-0x0000000003F10000-0x00000000049FC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1740-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1740-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1740-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1740-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1740-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1740-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1740-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1740-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1740-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-61-0x0000000003F10000-0x00000000049FC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1740-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1740-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1740-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1740-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1740-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1740-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2628-159-0x0000000004860000-0x00000000049F9000-memory.dmp

Filesize
1.6MB

Download
memory/2628-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2692-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2692-89-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2692-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2692-111-0x0000000004550000-0x000000000503C000-memory.dmp

Filesize
10.9MB

Download
memory/2692-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2692-82-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2692-67-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2692-84-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2692-69-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2692-87-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2692-74-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2692-72-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download