urelas | ce8db332fe75b98361a0dc3b7b9bfc5456df31a291d61db244169ac55dfc4537

Analysis

max time kernel
118s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ee71927bce9ff4ae2a236329b7aa20N.exe
Size

6.5MB
MD5

95ee71927bce9ff4ae2a236329b7aa20
SHA1

1056f0228501dd256dd55ff60ec7d21be0020432
SHA256

ce8db332fe75b98361a0dc3b7b9bfc5456df31a291d61db244169ac55dfc4537
SHA512

b15c5a253d131ce391a6ca30842394ff032a57c51410f937a11225373c3f19a8555c36169bb121be4110e2d2bead53be6d41bdd004b80b4278341b6d558e03cd
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSH:i0LrA2kHKQHNk3og9unipQyOaOH

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tewymo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	95ee71927bce9ff4ae2a236329b7aa20N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	awkum.exe

Executes dropped EXE 3 IoCs

pid	Process
4492	awkum.exe
1104	tewymo.exe
1152	uzufn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002346c-66.dat	upx
behavioral2/memory/1152-72-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/1152-77-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awkum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tewymo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzufn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ee71927bce9ff4ae2a236329b7aa20N.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2552	95ee71927bce9ff4ae2a236329b7aa20N.exe
2552	95ee71927bce9ff4ae2a236329b7aa20N.exe
4492	awkum.exe
4492	awkum.exe
1104	tewymo.exe
1104	tewymo.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe
1152	uzufn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 4492	2552	95ee71927bce9ff4ae2a236329b7aa20N.exe	87
PID 2552 wrote to memory of 4492	2552	95ee71927bce9ff4ae2a236329b7aa20N.exe	87
PID 2552 wrote to memory of 4492	2552	95ee71927bce9ff4ae2a236329b7aa20N.exe	87
PID 2552 wrote to memory of 2948	2552	95ee71927bce9ff4ae2a236329b7aa20N.exe	88
PID 2552 wrote to memory of 2948	2552	95ee71927bce9ff4ae2a236329b7aa20N.exe	88
PID 2552 wrote to memory of 2948	2552	95ee71927bce9ff4ae2a236329b7aa20N.exe	88
PID 4492 wrote to memory of 1104	4492	awkum.exe	90
PID 4492 wrote to memory of 1104	4492	awkum.exe	90
PID 4492 wrote to memory of 1104	4492	awkum.exe	90
PID 1104 wrote to memory of 1152	1104	tewymo.exe	102
PID 1104 wrote to memory of 1152	1104	tewymo.exe	102
PID 1104 wrote to memory of 1152	1104	tewymo.exe	102
PID 1104 wrote to memory of 4068	1104	tewymo.exe	103
PID 1104 wrote to memory of 4068	1104	tewymo.exe	103
PID 1104 wrote to memory of 4068	1104	tewymo.exe	103

C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe
"C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\awkum.exe
  "C:\Users\Admin\AppData\Local\Temp\awkum.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\tewymo.exe
    "C:\Users\Admin\AppData\Local\Temp\tewymo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\uzufn.exe
      "C:\Users\Admin\AppData\Local\Temp\uzufn.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2cd345598aa15cbc010e6d60eba1f04b

SHA1
0b0ae13c78ce0b7ddb8cbdd0b0f353648de598a8

SHA256
6990347d7d663caa0ac49b54254e728a96eec0a0c622b7d3375d72b75de60d6f

SHA512
6f4f97acac1063f8a3e3841c7cc592f270653a941ffc0b8ffa79d97a6335ad532be6f3d54cacc2a2938bebb6d9e780267714846e7f9fc0b2f4b576f93b019795

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
278B

MD5
a03a685eb198f629caf9300ec1eb2b31

SHA1
8dc3cd02a0cef1a2d1182b142fb1dc8f56f146d7

SHA256
fb6ce3d0667c8fb9c07a3f43b0d088d8e5209bddb685da2c5646bf57b8cf090f

SHA512
dbd434caf2cbbff4db888e742413f36e6e8d08ee9717efe04e681ee0b64a3e9b6f466a5dd48af167fe80bc224f31337177257cee23d7981b80f85bc6e524dfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\awkum.exe

Filesize
6.5MB

MD5
c299a2ac4f450371cab0b21534d390e6

SHA1
a81dd0ba7c60b01bc019c8378ce6cb6b7f92e054

SHA256
c3008311354b4d910c793ba6f7870ea352cfee3e436e2ca5877cfe7398c253d7

SHA512
53e43bc7f6e53f2aeed89750acaad41ec3f3683b6278751e7f144ff7e4cfee0156e7518d7b515396b3b73e7d9a6fcb8fb5f058f381e355cbd62444663ef43796

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ef52af394a7d8bc85614d05bcab7b4cc

SHA1
6642fc8ac5317ab966bd551b4e70a8410b84da51

SHA256
a6ac5ce226354deb998f4d7e0b60d23c01850bd7b73d138ae435a30548866672

SHA512
3cc65ddfca3dec32cef60f2bd378627191f210d36ef032c79918b81c7c0474861c0d2efecaf86aec4dbcdaf69cf6585dac6e4d1c8c6afaad09e569c524b5d646

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzufn.exe

Filesize
459KB

MD5
7c299e2b564ef83d160e912e4de81dc2

SHA1
9f72c8120e07c98dca2c8585e00e10147ca0ae55

SHA256
291a53c34f16ccf408706efbaf80394994344e1b8486698723818be8778fff53

SHA512
5e8e09ab64a648989146ac04e7d4ae49d9509d0bb84dc0c5b7e3d3a370f07f5efbf0df9c707798ee05b83b31c9991627fb863935374374f5c006cf5e3f868ac1

Download Submit
memory/1104-74-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1104-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1104-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1104-51-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1104-52-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/1104-54-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1104-55-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/1104-56-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1104-57-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1104-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1152-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1152-77-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2552-5-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2552-6-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2552-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2552-4-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2552-3-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2552-8-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2552-7-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2552-11-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2552-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2552-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2552-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2552-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2552-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4492-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4492-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4492-50-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4492-29-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4492-30-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4492-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4492-31-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4492-32-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4492-33-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/4492-34-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/4492-35-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/4492-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download