urelas | a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757e

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/10/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
Size

6.5MB
MD5

79890be584a693a9115d5daa6f1e02f0
SHA1

d5efa5308b9fa963ec06a83818331db6f2367ad4
SHA256

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757e
SHA512

f2e06a398f0fe3a35ef2b06967866d9219d4be290b7e0748f078d0fafe04e16f0614d9df6f8f4ed0dd8a0420c11ef71cec703474d71c068fa38eace2efdf4090
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS8r:i0LrA2kHKQHNk3og9unipQyOaOy

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2276	gicaq.exe
1868	pimiri.exe
372	xufay.exe

Loads dropped DLL 5 IoCs

pid	Process
2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
2276	gicaq.exe
2276	gicaq.exe
1868	pimiri.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000173f3-160.dat	upx
behavioral1/memory/1868-164-0x00000000048F0000-0x0000000004A89000-memory.dmp	upx
behavioral1/memory/372-166-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/372-178-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gicaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pimiri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xufay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
2276	gicaq.exe
1868	pimiri.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe
372	xufay.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2276	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2908 wrote to memory of 2276	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2908 wrote to memory of 2276	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2908 wrote to memory of 2276	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	30
PID 2908 wrote to memory of 2624	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2908 wrote to memory of 2624	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2908 wrote to memory of 2624	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2908 wrote to memory of 2624	2908	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	31
PID 2276 wrote to memory of 1868	2276	gicaq.exe	34
PID 2276 wrote to memory of 1868	2276	gicaq.exe	34
PID 2276 wrote to memory of 1868	2276	gicaq.exe	34
PID 2276 wrote to memory of 1868	2276	gicaq.exe	34
PID 1868 wrote to memory of 372	1868	pimiri.exe	35
PID 1868 wrote to memory of 372	1868	pimiri.exe	35
PID 1868 wrote to memory of 372	1868	pimiri.exe	35
PID 1868 wrote to memory of 372	1868	pimiri.exe	35
PID 1868 wrote to memory of 804	1868	pimiri.exe	36
PID 1868 wrote to memory of 804	1868	pimiri.exe	36
PID 1868 wrote to memory of 804	1868	pimiri.exe	36
PID 1868 wrote to memory of 804	1868	pimiri.exe	36

C:\Users\Admin\AppData\Local\Temp\a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
"C:\Users\Admin\AppData\Local\Temp\a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\gicaq.exe
  "C:\Users\Admin\AppData\Local\Temp\gicaq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\pimiri.exe
    "C:\Users\Admin\AppData\Local\Temp\pimiri.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\xufay.exe
      "C:\Users\Admin\AppData\Local\Temp\xufay.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
4013db77c4cd6307941364a9b7f8cbd8

SHA1
8a8ca494052ca6bf35eddcbd6689c3c2533776de

SHA256
23bec8f78ca92fee8d180e6583f1e7ab04c52fd19ee32e09fe0fa2e3d808fcbb

SHA512
08651253e50a01097a44041b00cb82a03dc3a9756f8bd6b227127b00c910eff8834eb1802bbcbc7e53aea57fc264c307609be1c5e8692525fabc27950736a554

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
489fbcce6b1d8df41f7669e31f2be5cb

SHA1
3be5177ab2099f96d0fdaf38c5b4292fa677f866

SHA256
b021c806cb5462aab4d20b7fa68f42a7d8c0cee2c03ca483bc451198a439a349

SHA512
01de0b04bf572373d320a75abd64e876b37266ac221940d23b64ec0c82b5978e9647adcdc9097415d9dba0160acc498735edb762a48705fa18253cb16aaec0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0deeebf0ad697e5ee9eb76acd08decd6

SHA1
9a0c286a0086f8e7b9efaef46eb92763a815cbf9

SHA256
72882c00d9926b04ce7e773e0b2deb31bca7cac14c6446cf7031dd95c1cb95b5

SHA512
4b92032e082230a2ec238fead4879a31ba9e2bb2ad3ae70de1df4603225096dc65f0184197273c4ff14b54284838e7f6ee46c9c840855a5ff30c5cd91674ed67

Download Submit
\Users\Admin\AppData\Local\Temp\gicaq.exe

Filesize
6.5MB

MD5
8392e3bc681ff72f29582597063003ca

SHA1
40e9da020ffa788fb82e67ca704d4db3d035a502

SHA256
a3ebd276eed6291dfd833c8b85887b8b22893a8bfb75533ae24e0132b068a8c3

SHA512
836cbd66023fd1a64a834bf53829b32f7049c5d402ec0daf3be4c22c6e4ae9be3565e53f6b193f2a443c3b86a866aa5f6115346400b8a5457b5c2554d1042871

Download Submit
\Users\Admin\AppData\Local\Temp\xufay.exe

Filesize
459KB

MD5
a0fc224441e01e7028c32eaf38cd65aa

SHA1
fba387dff2e368eb0b977df647293d23f271e1c2

SHA256
26454ca293e5f5dc9d8ff5d0309eded83c8e2ca6344e9e15f26a79aca82badd3

SHA512
c3af6935d456771f1f9c140dc4cd301dedd88c0b652479271f896600be15e005da0fa2b79d43c7db5b27fcdaf7386056686f2dc38f1ad722a221541a9207e826

Download Submit
memory/372-178-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/372-166-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1868-174-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1868-164-0x00000000048F0000-0x0000000004A89000-memory.dmp

Filesize
1.6MB

Download
memory/1868-156-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1868-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2276-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2276-155-0x0000000004260000-0x0000000004D4C000-memory.dmp

Filesize
10.9MB

Download
memory/2276-116-0x0000000004260000-0x0000000004D4C000-memory.dmp

Filesize
10.9MB

Download
memory/2276-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2276-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2276-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2276-84-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2276-87-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2276-89-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2276-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2276-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2908-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2908-30-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2908-53-0x0000000003D60000-0x000000000484C000-memory.dmp

Filesize
10.9MB

Download
memory/2908-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2908-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2908-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2908-43-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2908-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2908-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2908-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2908-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2908-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2908-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2908-54-0x0000000003D60000-0x000000000484C000-memory.dmp

Filesize
10.9MB

Download
memory/2908-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2908-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2908-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2908-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2908-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2908-23-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2908-25-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2908-28-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2908-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2908-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2908-34-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2908-36-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download