urelas | a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757e

Analysis

max time kernel
120s
max time network
82s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
Size

6.5MB
MD5

79890be584a693a9115d5daa6f1e02f0
SHA1

d5efa5308b9fa963ec06a83818331db6f2367ad4
SHA256

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757e
SHA512

f2e06a398f0fe3a35ef2b06967866d9219d4be290b7e0748f078d0fafe04e16f0614d9df6f8f4ed0dd8a0420c11ef71cec703474d71c068fa38eace2efdf4090
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS8r:i0LrA2kHKQHNk3og9unipQyOaOy

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2728	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

jyebq.exelyecfe.exekywoa.exe

pid	Process
2760	jyebq.exe
740	lyecfe.exe
292	kywoa.exe

Loads dropped DLL 5 IoCs

Processes:

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exejyebq.exelyecfe.exe

pid	Process
2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
2760	jyebq.exe
2760	jyebq.exe
740	lyecfe.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016da7-158.dat	upx
behavioral1/memory/740-162-0x00000000047D0000-0x0000000004969000-memory.dmp	upx
behavioral1/memory/292-164-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/292-176-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kywoa.execmd.exea52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.execmd.exejyebq.exelyecfe.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kywoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyebq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyecfe.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exejyebq.exelyecfe.exekywoa.exe

pid	Process
2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
2760	jyebq.exe
740	lyecfe.exe
292	kywoa.exe
292	kywoa.exe
292	kywoa.exe
292	kywoa.exe
292	kywoa.exe
292	kywoa.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exejyebq.exelyecfe.exe

description	pid	Process	procid_target
PID 2860 wrote to memory of 2760	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2860 wrote to memory of 2760	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2860 wrote to memory of 2760	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2860 wrote to memory of 2760	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2860 wrote to memory of 2728	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2860 wrote to memory of 2728	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2860 wrote to memory of 2728	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2860 wrote to memory of 2728	2860	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2760 wrote to memory of 740	2760	jyebq.exe	34
PID 2760 wrote to memory of 740	2760	jyebq.exe	34
PID 2760 wrote to memory of 740	2760	jyebq.exe	34
PID 2760 wrote to memory of 740	2760	jyebq.exe	34
PID 740 wrote to memory of 292	740	lyecfe.exe	35
PID 740 wrote to memory of 292	740	lyecfe.exe	35
PID 740 wrote to memory of 292	740	lyecfe.exe	35
PID 740 wrote to memory of 292	740	lyecfe.exe	35
PID 740 wrote to memory of 2560	740	lyecfe.exe	36
PID 740 wrote to memory of 2560	740	lyecfe.exe	36
PID 740 wrote to memory of 2560	740	lyecfe.exe	36
PID 740 wrote to memory of 2560	740	lyecfe.exe	36

C:\Users\Admin\AppData\Local\Temp\a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
"C:\Users\Admin\AppData\Local\Temp\a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\jyebq.exe
  "C:\Users\Admin\AppData\Local\Temp\jyebq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\lyecfe.exe
    "C:\Users\Admin\AppData\Local\Temp\lyecfe.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Users\Admin\AppData\Local\Temp\kywoa.exe
      "C:\Users\Admin\AppData\Local\Temp\kywoa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
4013db77c4cd6307941364a9b7f8cbd8

SHA1
8a8ca494052ca6bf35eddcbd6689c3c2533776de

SHA256
23bec8f78ca92fee8d180e6583f1e7ab04c52fd19ee32e09fe0fa2e3d808fcbb

SHA512
08651253e50a01097a44041b00cb82a03dc3a9756f8bd6b227127b00c910eff8834eb1802bbcbc7e53aea57fc264c307609be1c5e8692525fabc27950736a554

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ddea0821a8095d7dabad4099afff5af1

SHA1
32b58c4aa8b4fd3ca2ac5c4af7f7b62f0822740e

SHA256
669cb5be4c2c38a9ca32cf2385dc1403ccf57411127b17fe3b3f241a8d5fe757

SHA512
5c7c99a317de4fef9666f7d896172913813ad6c93927d3cca66a6c2aa6148b4bd5d5baa330055726111efd17f831b6e917ec3cefe8fd56808ca67467ef8d8782

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f2b39742948136de43a5158b34125d5a

SHA1
6d238e4c5c29272aeb212ce03d9237c95a634843

SHA256
2e1ffd338c9f659674127143aa8343c6e3eed6d290a1257c5fb20b0a90758660

SHA512
b754a5143bacb2330da06773ecdeb0318f4c6f85b47c8a4e667356570fd62488ff71c698290c0ac88a2ab39a8c668d029c019b7d85e434bfd02f7490a757a023

Download Submit
\Users\Admin\AppData\Local\Temp\jyebq.exe

Filesize
6.5MB

MD5
93246f1e409dd495a9a1088c54ce2e2e

SHA1
2ca292b7bdb01c194687a1d00a454ad1d788c6ea

SHA256
65ae2f88f3cd614271f568355c19319f879dee5a8d01e7710afbca84a160c89f

SHA512
22ee44405db190c22160faa7c11d90a7f34fd7d0f3f28de862e4de5b50eec6289e631488f1d5cf6512d93fd2bfddedb1f6fa9023e72d173408dc9d9b1b405554

Download Submit
\Users\Admin\AppData\Local\Temp\kywoa.exe

Filesize
459KB

MD5
4cd511bf0281b16373a79ca36f21f9ed

SHA1
7aacaa42c56d537ebd65102912944ded308eff47

SHA256
7ade430c26cc331c3f00e74e310b5a1906e159f68e80f4f4926ce0f7bc888c9b

SHA512
6c0a444cfe0a4b049a19397344b9283b81bf7bfa22fe153a5bd1882bdcd19622463e4bdcf780e726549ba819a0b7d806e411209a0d3e6d3f73d611b80d0a3135

Download Submit
memory/292-176-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/292-164-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/740-154-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/740-162-0x00000000047D0000-0x0000000004969000-memory.dmp

Filesize
1.6MB

Download
memory/740-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2760-153-0x0000000004660000-0x000000000514C000-memory.dmp

Filesize
10.9MB

Download
memory/2760-111-0x0000000004660000-0x000000000514C000-memory.dmp

Filesize
10.9MB

Download
memory/2760-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2760-115-0x0000000004660000-0x000000000514C000-memory.dmp

Filesize
10.9MB

Download
memory/2760-84-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2760-87-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2760-89-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2760-82-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2860-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2860-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-44-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-60-0x0000000003FD0000-0x0000000004ABC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-61-0x0000000003FD0000-0x0000000004ABC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2860-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2860-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2860-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2860-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2860-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2860-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2860-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2860-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2860-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2860-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2860-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download