urelas | a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
Size

6.4MB
MD5

942720ef7700407a8cba784c763d17e6
SHA1

e4575d037ae39d9048b4c3db71a45f98f14bf939
SHA256

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325
SHA512

1da95caa024bef6fa7bde5cb360af8c5d828e587faf1b467b91b87293855b08af7859cdc7fef1ad8af261afc212ccd5a6f18c6bbbf54182e0247076448f276bd
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSW:i0LrA2kHKQHNk3og9unipQyOaOW

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zucoh.exe	UPX
behavioral1/memory/1444-164-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/1444-177-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2468 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

pupoc.exebexipy.exezucoh.exe

pid process

2680 pupoc.exe
2736 bexipy.exe
1444 zucoh.exe

pid	process
2468	cmd.exe

pid	process
2680	pupoc.exe
2736	bexipy.exe
1444	zucoh.exe

Loads dropped DLL 5 IoCs

Processes:

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exepupoc.exebexipy.exe

pid	process
1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
2680	pupoc.exe
2680	pupoc.exe
2736	bexipy.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zucoh.exe	upx
behavioral1/memory/1444-164-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1444-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exepupoc.exebexipy.exezucoh.exe

pid	process
1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
2680	pupoc.exe
2736	bexipy.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe
1444	zucoh.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exepupoc.exebexipy.exe

description	pid	process	target process
PID 1704 wrote to memory of 2680	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	pupoc.exe
PID 1704 wrote to memory of 2680	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	pupoc.exe
PID 1704 wrote to memory of 2680	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	pupoc.exe
PID 1704 wrote to memory of 2680	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	pupoc.exe
PID 1704 wrote to memory of 2468	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	cmd.exe
PID 1704 wrote to memory of 2468	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	cmd.exe
PID 1704 wrote to memory of 2468	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	cmd.exe
PID 1704 wrote to memory of 2468	1704	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	cmd.exe
PID 2680 wrote to memory of 2736	2680	pupoc.exe	bexipy.exe
PID 2680 wrote to memory of 2736	2680	pupoc.exe	bexipy.exe
PID 2680 wrote to memory of 2736	2680	pupoc.exe	bexipy.exe
PID 2680 wrote to memory of 2736	2680	pupoc.exe	bexipy.exe
PID 2736 wrote to memory of 1444	2736	bexipy.exe	zucoh.exe
PID 2736 wrote to memory of 1444	2736	bexipy.exe	zucoh.exe
PID 2736 wrote to memory of 1444	2736	bexipy.exe	zucoh.exe
PID 2736 wrote to memory of 1444	2736	bexipy.exe	zucoh.exe
PID 2736 wrote to memory of 1416	2736	bexipy.exe	cmd.exe
PID 2736 wrote to memory of 1416	2736	bexipy.exe	cmd.exe
PID 2736 wrote to memory of 1416	2736	bexipy.exe	cmd.exe
PID 2736 wrote to memory of 1416	2736	bexipy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
"C:\Users\Admin\AppData\Local\Temp\a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\pupoc.exe
"C:\Users\Admin\AppData\Local\Temp\pupoc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\bexipy.exe
"C:\Users\Admin\AppData\Local\Temp\bexipy.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\zucoh.exe
"C:\Users\Admin\AppData\Local\Temp\zucoh.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f390a382077a9e3dc1c9539c0ca4747e

SHA1
137ae28093a106fb32d37cd6073c0e911ba45f24

SHA256
293fbd6c74e6d0167f4cb80f5594e0dee42de9f21d7ed33a9342674c873a373c

SHA512
76ef7be0254c710578c639867a1502206313315a779b4e5f2ff69ab96287a9c268b9a7296cc84fdf7641ff5cf2fa593c94829370a27e7f1f933b0dd6fcf72564

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
869e894f5ee558beaff29ff2047f6fe0

SHA1
e2033f962823f33da9e5663c14d405fadc1b8e37

SHA256
6bee8906939435831cc0025592556b4e3bf44a88037ad18cc005aa94fc9b2dc3

SHA512
4a96d4f27b6dcc7db4ed6105c8b69b051c8399ef685638734b7d9f0e12d0fc4302c8fd0fe42943539c4e044e3edc7cffc7b9097f466b584c053a954701acc5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a79b6ae822e1b9db7d678f603d81732e

SHA1
22cfbbdaa07a580f59f9841964942846e8b6a683

SHA256
2ddbac31238082109467f0b76a66cae01a5a5aa5bdf632e5bbb5152b27a6ee0b

SHA512
23ca008184133bf8b1d3b4cb3a75971899b560486961412b63e883aceb4159b0b850a3a2602c5279eb14e0a32c29d81f1b1a646c49f86cad454efc52dead4043

Download Submit
C:\Users\Admin\AppData\Local\Temp\zucoh.exe

Filesize
459KB

MD5
6dccc1ae063e5df626c92e7bb35e9a24

SHA1
2a4ebb5841c7fc1109ac88a5698ad5ca68ac0ada

SHA256
a6ce6d75baf37986cf539b875e9a9c5f517daaa72e821a4f0f03e94cc03610db

SHA512
cb895098a3ae28e6b8df57ad039d5fbac5aba00396fd628a9742dc9c36328bd12bedaa8f9bd337d18f84fed199143e4747072ed5c5f2f9961b38161395fa9d8e

Download Submit
\Users\Admin\AppData\Local\Temp\pupoc.exe

Filesize
6.4MB

MD5
aa2f1e526ad31542d1cca7cc9070b679

SHA1
9ff447bb2cc4ecd612748acc6dadc5420974ba83

SHA256
5dbdcb1130a31002407fb6ccadc9d83b50b5159fb69c6efddd70afce6012f8ee

SHA512
bb5b61333e6e6db30d48a510fd8112096657b7216a111fde0a2e874ed0f5b06159484170bfa061a8dd1390edd3630a11187ae9d62c28d26198fc7ef91fdaf163

Download Submit
memory/1444-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1444-164-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1704-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1704-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1704-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1704-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1704-12-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1704-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1704-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1704-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1704-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1704-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1704-3-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1704-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1704-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1704-19-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1704-21-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1704-54-0x0000000003C50000-0x000000000473C000-memory.dmp

Filesize
10.9MB

Download
memory/1704-52-0x0000000003C50000-0x000000000473C000-memory.dmp

Filesize
10.9MB

Download
memory/1704-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1704-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1704-36-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1704-34-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1704-24-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1704-31-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1704-29-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1704-26-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2680-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2680-114-0x0000000003D00000-0x00000000047EC000-memory.dmp

Filesize
10.9MB

Download
memory/2680-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2680-116-0x0000000003D00000-0x00000000047EC000-memory.dmp

Filesize
10.9MB

Download
memory/2680-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2680-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2680-87-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2680-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2680-89-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2736-163-0x00000000040A0000-0x0000000004239000-memory.dmp

Filesize
1.6MB

Download
memory/2736-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download