urelas | f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
Size

6.5MB
MD5

92e0624826b4f17f1fcf2b53e454c216
SHA1

f079f61759d17db1440b09837cdc99817c42a65b
SHA256

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530
SHA512

5b4cfcebe3b2faee309baa3e4d90f4157e055c9044868f95fcec9080a72f76384a31967e0c3ca48435bbcf66ebaa7be5fc718e3c4d86f3c6ec103f4234ea61e3
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSD:i0LrA2kHKQHNk3og9unipQyOaOD

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ogxyo.exe	UPX
behavioral1/memory/472-167-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/472-173-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2648 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

kuecj.execyonzo.exeogxyo.exe

pid process

2584 kuecj.exe
2968 cyonzo.exe
472 ogxyo.exe

pid	process
2648	cmd.exe

pid	process
2584	kuecj.exe
2968	cyonzo.exe
472	ogxyo.exe

Loads dropped DLL 5 IoCs

Processes:

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exekuecj.execyonzo.exe

pid	process
2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
2584	kuecj.exe
2584	kuecj.exe
2968	cyonzo.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ogxyo.exe	upx
behavioral1/memory/2968-158-0x0000000004960000-0x0000000004AF9000-memory.dmp	upx
behavioral1/memory/472-167-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/472-173-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exekuecj.execyonzo.exeogxyo.exe

pid	process
2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
2584	kuecj.exe
2968	cyonzo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe
472	ogxyo.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exekuecj.execyonzo.exe

description	pid	process	target process
PID 2924 wrote to memory of 2584	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	kuecj.exe
PID 2924 wrote to memory of 2584	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	kuecj.exe
PID 2924 wrote to memory of 2584	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	kuecj.exe
PID 2924 wrote to memory of 2584	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	kuecj.exe
PID 2924 wrote to memory of 2648	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	cmd.exe
PID 2924 wrote to memory of 2648	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	cmd.exe
PID 2924 wrote to memory of 2648	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	cmd.exe
PID 2924 wrote to memory of 2648	2924	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	cmd.exe
PID 2584 wrote to memory of 2968	2584	kuecj.exe	cyonzo.exe
PID 2584 wrote to memory of 2968	2584	kuecj.exe	cyonzo.exe
PID 2584 wrote to memory of 2968	2584	kuecj.exe	cyonzo.exe
PID 2584 wrote to memory of 2968	2584	kuecj.exe	cyonzo.exe
PID 2968 wrote to memory of 472	2968	cyonzo.exe	ogxyo.exe
PID 2968 wrote to memory of 472	2968	cyonzo.exe	ogxyo.exe
PID 2968 wrote to memory of 472	2968	cyonzo.exe	ogxyo.exe
PID 2968 wrote to memory of 472	2968	cyonzo.exe	ogxyo.exe
PID 2968 wrote to memory of 1328	2968	cyonzo.exe	cmd.exe
PID 2968 wrote to memory of 1328	2968	cyonzo.exe	cmd.exe
PID 2968 wrote to memory of 1328	2968	cyonzo.exe	cmd.exe
PID 2968 wrote to memory of 1328	2968	cyonzo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
"C:\Users\Admin\AppData\Local\Temp\f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\kuecj.exe
  "C:\Users\Admin\AppData\Local\Temp\kuecj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\cyonzo.exe
    "C:\Users\Admin\AppData\Local\Temp\cyonzo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\ogxyo.exe
      "C:\Users\Admin\AppData\Local\Temp\ogxyo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
825d427f5c1c4332b39ae0841a9fbb4d

SHA1
5836bb85e53beceb20aa6c1ede8fa941bfdd1037

SHA256
2161e402289cedf7c2fd166461968b946279cc72acc1a470b9b4e4bfb6b006d1

SHA512
99171eeb3d8271b6899677f869596b1bd7bed78b5b260322eff42e61b3bd16f9ccfe3bdda8c1a61310cbf459c015ff82c4b15dc088c3b0aba864a42c5479d472

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
950dc9d25cc908ff4adafae65f0be317

SHA1
4ecc3aedee3f6c083cd45e2c50d42d32f9c3fa0b

SHA256
b8d44494237467cc637e102f97539c33742255b7ed0c7eb9076cef889fa14c62

SHA512
c0e831a39d0798266a6eb1c70614e46b0e82484814127f05ec4dd6515e65419f2cfa1e6559d019ca16c3ddb659c4fd0470299503e7bca553a3dd6f394ea5ac47

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8d0a2bb04b709c70b7cb00dd169d7003

SHA1
6e6adb725b45a0bc5d4924cb81f5b6657336ab75

SHA256
d292c4fa1943a14033e3b40281e27f92d147929f31f0281228a809616dfe7088

SHA512
7ca713c2feab960afcca2b0cec46f0e37274f35285159f17c205b880faed79d826cfcf6f41c0efb84e3e6b4f5a951523de5317bc80c22310a2aef0424f3bfaf8

Download Submit
\Users\Admin\AppData\Local\Temp\kuecj.exe

Filesize
6.5MB

MD5
61f00f0a85b578722dc419a3dc0cf47c

SHA1
d42f3942a2ef65a10b7372f921c176c5da9df250

SHA256
dfb91acb164079c977557022b3f6bbc236f6e6e51a9d4db541201afd0514a8c6

SHA512
beab6719f95d8a5124af31d2e4ccb77591ee9901c955c066057a71959e95c19690f39da24f628ef92d000141120bb44fd9d4771788bb21b6618f69762bea9d1c

Download Submit
\Users\Admin\AppData\Local\Temp\ogxyo.exe

Filesize
459KB

MD5
0380482930866ccf2a6ca7ce3eacf318

SHA1
8bed17393b2354b134239b2cc43f5a70099206cf

SHA256
e4172db0baa6805b797a4e4359292f315921f1c2e9cb4a4e96af79f39ac538ae

SHA512
74bcf798a95dd2fae17d43d2735c320dc550c83930a3227b6bc01fcd4c5385e0d007ee8e545998b0826f45dc4dff941ec75405fc94cba47ce85f35ca8158c0e9

Download Submit
memory/472-173-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/472-167-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2584-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2584-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2584-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2584-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2584-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2584-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2584-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2584-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2584-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2584-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2924-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2924-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2924-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2924-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2924-60-0x0000000004240000-0x0000000004D2C000-memory.dmp

Filesize
10.9MB

Download
memory/2924-52-0x0000000004240000-0x0000000004D2C000-memory.dmp

Filesize
10.9MB

Download
memory/2924-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2924-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2924-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2924-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2924-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2924-28-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2924-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2924-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2924-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2924-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2924-11-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2924-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2924-15-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2924-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2924-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2924-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2924-33-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2924-35-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2968-168-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2968-158-0x0000000004960000-0x0000000004AF9000-memory.dmp

Filesize
1.6MB

Download
memory/2968-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download