urelas | ce8db332fe75b98361a0dc3b7b9bfc5456df31a291d61db244169ac55dfc4537

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 06:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ee71927bce9ff4ae2a236329b7aa20N.exe
Size

6.5MB
MD5

95ee71927bce9ff4ae2a236329b7aa20
SHA1

1056f0228501dd256dd55ff60ec7d21be0020432
SHA256

ce8db332fe75b98361a0dc3b7b9bfc5456df31a291d61db244169ac55dfc4537
SHA512

b15c5a253d131ce391a6ca30842394ff032a57c51410f937a11225373c3f19a8555c36169bb121be4110e2d2bead53be6d41bdd004b80b4278341b6d558e03cd
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSH:i0LrA2kHKQHNk3og9unipQyOaOH

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1076	jukuc.exe
2284	sukuik.exe
852	izfoh.exe

Loads dropped DLL 5 IoCs

pid	Process
1368	95ee71927bce9ff4ae2a236329b7aa20N.exe
1368	95ee71927bce9ff4ae2a236329b7aa20N.exe
1076	jukuc.exe
1076	jukuc.exe
2284	sukuik.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001722a-157.dat	upx
behavioral1/memory/852-163-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2284-159-0x0000000004830000-0x00000000049C9000-memory.dmp	upx
behavioral1/memory/852-175-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ee71927bce9ff4ae2a236329b7aa20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jukuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sukuik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izfoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1368	95ee71927bce9ff4ae2a236329b7aa20N.exe
1076	jukuc.exe
2284	sukuik.exe
852	izfoh.exe
852	izfoh.exe
852	izfoh.exe
852	izfoh.exe
852	izfoh.exe
852	izfoh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1076	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	31
PID 1368 wrote to memory of 1076	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	31
PID 1368 wrote to memory of 1076	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	31
PID 1368 wrote to memory of 1076	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	31
PID 1368 wrote to memory of 2928	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	32
PID 1368 wrote to memory of 2928	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	32
PID 1368 wrote to memory of 2928	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	32
PID 1368 wrote to memory of 2928	1368	95ee71927bce9ff4ae2a236329b7aa20N.exe	32
PID 1076 wrote to memory of 2284	1076	jukuc.exe	34
PID 1076 wrote to memory of 2284	1076	jukuc.exe	34
PID 1076 wrote to memory of 2284	1076	jukuc.exe	34
PID 1076 wrote to memory of 2284	1076	jukuc.exe	34
PID 2284 wrote to memory of 852	2284	sukuik.exe	35
PID 2284 wrote to memory of 852	2284	sukuik.exe	35
PID 2284 wrote to memory of 852	2284	sukuik.exe	35
PID 2284 wrote to memory of 852	2284	sukuik.exe	35
PID 2284 wrote to memory of 2856	2284	sukuik.exe	36
PID 2284 wrote to memory of 2856	2284	sukuik.exe	36
PID 2284 wrote to memory of 2856	2284	sukuik.exe	36
PID 2284 wrote to memory of 2856	2284	sukuik.exe	36

C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe
"C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\jukuc.exe
  "C:\Users\Admin\AppData\Local\Temp\jukuc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\sukuik.exe
    "C:\Users\Admin\AppData\Local\Temp\sukuik.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\izfoh.exe
      "C:\Users\Admin\AppData\Local\Temp\izfoh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2928

Network

No results found

218.54.31.226:11110

sukuik.exe

152 B
3
1.234.83.146:11170

sukuik.exe

152 B
3
218.54.31.165:11110

sukuik.exe

152 B
3
133.242.129.155:11110

sukuik.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
278B

MD5
a03a685eb198f629caf9300ec1eb2b31

SHA1
8dc3cd02a0cef1a2d1182b142fb1dc8f56f146d7

SHA256
fb6ce3d0667c8fb9c07a3f43b0d088d8e5209bddb685da2c5646bf57b8cf090f

SHA512
dbd434caf2cbbff4db888e742413f36e6e8d08ee9717efe04e681ee0b64a3e9b6f466a5dd48af167fe80bc224f31337177257cee23d7981b80f85bc6e524dfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4f2545c32a24540148661a9f8df6b347

SHA1
3ae95776c56c623e0d92c9765878e639e5cd5d37

SHA256
0875ef115e23a8372ad5b849709f475a23c48368596ca19a679723aa5eb4abe6

SHA512
ca0decf5355be90e35d7ef5f041675a20bdbd863819daeb47ca9abd6de3ffbd3d1e007711591ccce34f1d2ea0ff2165709c3b66b880e362f90108279af8a3b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a03b241bccdd1ad19de05ddbccd96a26

SHA1
5b4cb489a051d320cdd23250b04a0c10a1a37e94

SHA256
03373230388af3ec839dea2ce5c4d8b7cfa57d84cea07170e57653b284343379

SHA512
110ec885d4151b685d4aa5a352b201be62f8657cbcd33f8338501bd87944cdbd24a1afa73af7a1a0596ad53757a209cc75f358d6572fa531e057e82424dd0b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\jukuc.exe

Filesize
6.5MB

MD5
d4ddc2ed96f0398bae2126b8703568c8

SHA1
2def643e4d9734eae071698a4180241aabdbe516

SHA256
4091aaccb2e5d19d9525848359f14f6f7acd68732c074258722acc3d006a52ca

SHA512
0affc1fb9c1bcba14d3af0cd862d7e6c8eaf29ca90f9ba0a45be2508c2e0b2305c206f77435ef3a2bb4a0d12d4f14deaedb96fd0e0ad0ba1a2b809f7022c5cbc

Download Submit
\Users\Admin\AppData\Local\Temp\izfoh.exe

Filesize
459KB

MD5
2a6ff514d3e112f3af0148207ef245db

SHA1
5adad09ec83d29a37205732a60d1eb1e41dd6f67

SHA256
690338f69536122e4dc0fd2554903ed41075e20e9fc697efd1d85eab6f035b3f

SHA512
09757e50cb4aa80cd9aefde07bae8a4016a5aa3a8259b3da6bd6e4e4f9883dbf2d39b69676a88212293be3f5e167fdf56c4840b7b329d4d5d8d1a52082669fba

Download Submit
memory/852-175-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/852-163-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1076-73-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1076-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1076-68-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1076-76-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1076-78-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1076-81-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1076-83-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1076-86-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1076-66-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1076-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1076-88-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1076-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1076-112-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1368-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1368-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1368-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1368-60-0x0000000003F00000-0x00000000049EC000-memory.dmp

Filesize
10.9MB

Download
memory/1368-62-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1368-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1368-61-0x0000000003F00000-0x00000000049EC000-memory.dmp

Filesize
10.9MB

Download
memory/1368-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1368-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1368-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1368-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1368-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1368-11-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1368-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1368-15-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1368-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1368-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1368-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1368-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1368-36-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1368-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1368-34-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1368-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1368-29-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1368-31-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2284-159-0x0000000004830000-0x00000000049C9000-memory.dmp

Filesize
1.6MB

Download
memory/2284-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2284-153-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2284-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download