urelas | 5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 22:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe
Size

6.5MB
MD5

ac0ad3ecfedd68fc5ef3c26f6507f5ff
SHA1

30462e61e291fab5b761788dc328e7e16d05bdd1
SHA256

5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3
SHA512

723d88e22b31650f8beb030a450dbc26a40cc1116ce40f662d0d2f876f89c88997996009cb56cef0631f5f1e62a71d7cffc060ea705117e1dca56c63d6c503a1
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSB:i0LrA2kHKQHNk3og9unipQyOaOB

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1508	ciurw.exe
2672	remexu.exe
524	ulogv.exe

Loads dropped DLL 5 IoCs

pid	Process
2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe
2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe
1508	ciurw.exe
1508	ciurw.exe
2672	remexu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d20-154.dat	upx
behavioral1/memory/524-167-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/524-173-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ciurw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remexu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulogv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe
1508	ciurw.exe
2672	remexu.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe
524	ulogv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1508	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	28
PID 2276 wrote to memory of 1508	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	28
PID 2276 wrote to memory of 1508	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	28
PID 2276 wrote to memory of 1508	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	28
PID 2276 wrote to memory of 2808	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	29
PID 2276 wrote to memory of 2808	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	29
PID 2276 wrote to memory of 2808	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	29
PID 2276 wrote to memory of 2808	2276	5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe	29
PID 1508 wrote to memory of 2672	1508	ciurw.exe	31
PID 1508 wrote to memory of 2672	1508	ciurw.exe	31
PID 1508 wrote to memory of 2672	1508	ciurw.exe	31
PID 1508 wrote to memory of 2672	1508	ciurw.exe	31
PID 2672 wrote to memory of 524	2672	remexu.exe	34
PID 2672 wrote to memory of 524	2672	remexu.exe	34
PID 2672 wrote to memory of 524	2672	remexu.exe	34
PID 2672 wrote to memory of 524	2672	remexu.exe	34
PID 2672 wrote to memory of 952	2672	remexu.exe	35
PID 2672 wrote to memory of 952	2672	remexu.exe	35
PID 2672 wrote to memory of 952	2672	remexu.exe	35
PID 2672 wrote to memory of 952	2672	remexu.exe	35

C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe
"C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\ciurw.exe
  "C:\Users\Admin\AppData\Local\Temp\ciurw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\remexu.exe
    "C:\Users\Admin\AppData\Local\Temp\remexu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\ulogv.exe
      "C:\Users\Admin\AppData\Local\Temp\ulogv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
0b2d310c5081261ed7a37dfd3658d7f3

SHA1
01c5b603fe269e06d90277c4c3600dfd4430431d

SHA256
8e19fa7ab7dedd21d74ccb808dc41f46d31da1ff64a01a6bd85d9bfabf905c5a

SHA512
a72ccac058bbafb6e9a96fc51fe634351f036bb177323dc91ea4589d50e615b3494005e16b8e3d9f5c706910bafa7db49a0327ee7f4dab21de797c85fddc6053

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f1482ae6624e18bfdb0a9d8efaf5eb4b

SHA1
50a51f75cfe722c9bd7b13f52bb249cf2ee7957c

SHA256
6d9ba1642bb4ff817b0bfc9c1f590d356d214b2be58ba03d7e87b56a1875d840

SHA512
6757bfde6a50647b04614a4b24f5bf8584796891de9098be3fb11a6e95c5401cf5b856c0d8f36e0abac5eb9eff69e924f9b571c79553fe58e786ca3170e61365

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ab102d3d1c8b730046521b5e0f16ef17

SHA1
90302460c4761878a723cd4ae1bac2080a3ac5f1

SHA256
d78f0341fa26141120bc039c69f251c8d55d96a9201114031399075ca00d8d84

SHA512
84a84b53859781f3c02b8347e25016db45ae8c7929cd869c8aa30af837e3212b8331e8f36d4f9491342a10abdcd29e38d08bf137e40b114e100a2c76c498fedb

Download Submit
\Users\Admin\AppData\Local\Temp\ciurw.exe

Filesize
6.5MB

MD5
05081d09ac6153681387b5b531395d71

SHA1
6602c79cd7d2f282ff9ee07eca22a6188e778d5f

SHA256
8932f553d61e8a0309ddf1a0cfde9492b6d61c889fa7e6bf353cc6597a4b8eee

SHA512
25f74fb82e2520bbd6b5105cb022e8f8752dbdc3cb854dea10cc05ea088a66e71a4774f06ab5b999d96652faf160839744579f22b24725b830c9571265a3077e

Download Submit
\Users\Admin\AppData\Local\Temp\ulogv.exe

Filesize
459KB

MD5
8ccfbb7da99103b7ec3dea57074320a0

SHA1
1046a90c4b070664e203bed0ae7fee47791a8580

SHA256
0a33525b3f49db82dd9a56f067f706f360ba102e32e2176b49765c1eae2d9d35

SHA512
8388e9732b19c57204f886bcb5b74978b698346abd5c25693657b3ae819f0540050f7e05deacba51a3fc23e9f12acb89a5f5ee29b22dc002b1df23033bad9f04

Download Submit
memory/524-173-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/524-167-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1508-75-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1508-111-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1508-112-0x0000000004560000-0x000000000504C000-memory.dmp

Filesize
10.9MB

Download
memory/1508-77-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1508-80-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1508-82-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1508-72-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1508-85-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1508-87-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1508-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1508-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1508-70-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2276-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2276-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2276-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2276-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2276-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2276-58-0x0000000003F70000-0x0000000004A5C000-memory.dmp

Filesize
10.9MB

Download
memory/2276-50-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2276-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2276-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2276-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2276-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2276-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2276-61-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2276-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2276-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2276-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2276-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2276-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2276-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2276-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2276-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2276-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2276-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2672-168-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2672-158-0x0000000004750000-0x00000000048E9000-memory.dmp

Filesize
1.6MB

Download
memory/2672-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download