urelas | 12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
Size

557KB
MD5

8d37a8396842d719500c6a9794081307
SHA1

e477abc5b03e9d8608f732d823fceeb78263e4a3
SHA256

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82
SHA512

7dadab5806e550848488b9eacf7392b058c2a401e6a8f0e9ac174b07f6bb9e96af4f4ddf5f299beef64da9514cea742cd3b971341b52e5811f4bc362103ac960
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy4:znPfQp9L3olqF4

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1752	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

peqev.exedoloi.exe

pid	Process
2504	peqev.exe
1212	doloi.exe

Loads dropped DLL 2 IoCs

Processes:

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exepeqev.exe

pid	Process
2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
2504	peqev.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0008000000018d68-4.dat	upx
behavioral1/memory/2348-16-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2504-19-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2504-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exepeqev.execmd.exedoloi.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peqev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doloi.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

doloi.exe

pid	Process
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe
1212	doloi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exepeqev.exe

description	pid	Process	procid_target
PID 2348 wrote to memory of 2504	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	31
PID 2348 wrote to memory of 2504	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	31
PID 2348 wrote to memory of 2504	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	31
PID 2348 wrote to memory of 2504	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	31
PID 2348 wrote to memory of 1752	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	32
PID 2348 wrote to memory of 1752	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	32
PID 2348 wrote to memory of 1752	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	32
PID 2348 wrote to memory of 1752	2348	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	32
PID 2504 wrote to memory of 1212	2504	peqev.exe	34
PID 2504 wrote to memory of 1212	2504	peqev.exe	34
PID 2504 wrote to memory of 1212	2504	peqev.exe	34
PID 2504 wrote to memory of 1212	2504	peqev.exe	34

C:\Users\Admin\AppData\Local\Temp\12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
"C:\Users\Admin\AppData\Local\Temp\12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\peqev.exe
  "C:\Users\Admin\AppData\Local\Temp\peqev.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\doloi.exe
    "C:\Users\Admin\AppData\Local\Temp\doloi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
878fd48f02ed0ec577b997344e95183a

SHA1
6e17a32caf0937778aa99aa7b6bb96a836df8e8e

SHA256
27d2a93379bb24993974d307d7f5ec926e2b1d3635d5116bccbd0c57c95c6500

SHA512
fc312460980cdeb7f9eff89cbc3483ad6ab5df1da851e89e5c80c971db7d46014d943077c4e7342a7367b530858978ba073fd2c262f352fa01a391fe2c5c6a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c6b7928de9cb70e2d7ac5a0ccfe23660

SHA1
3d4a8cdaef71da4e8ac6f3e76c6783a49cf3f0ed

SHA256
9d39e30f4f00e3a42913845579ebb9a575fc1e0d6bc3fbc2b70584318e9f4555

SHA512
f2b51016a6d65bff36de756fa290e5b7a1cbcba423f89e748bc0e0c4f742162ab13c8b61583216b737a07133f4ed037793a3d9bf99be7dc0a4289eb6e7027ded

Download Submit
\Users\Admin\AppData\Local\Temp\doloi.exe

Filesize
194KB

MD5
b3f24a416a4759c535197cc7e8f58ed8

SHA1
982d31b678e9b23ec4121166fa5e75c61ed6d08f

SHA256
80851d549314126a0dfe1054ac3212bb0f9a1909e7c2fa9e29e3adc996129742

SHA512
83e79878fc0a51b76a622118706d650ddc36200161839e84337cab3d82644f6aa99b1caa516184df28d8ae56aaba3e541264348e8a9052731dbe577574306595

Download Submit
\Users\Admin\AppData\Local\Temp\peqev.exe

Filesize
557KB

MD5
a2b04437582f59e577fed2c3b6b7b8ac

SHA1
58df52caa9775d42d0fb5e802515c6988201a3eb

SHA256
bbe5718251941a77634c0a21a7e3ac5af1491cc77af5f151631c95c40f3848a5

SHA512
5f12adc2606ccacdc05f25626b8e333e528fc9b99be66eafc31863be08bbc1cc98ac562605111f8f8c4f32a3b2489a5556ef5347268e5b6382f1f7829eca7d84

Download Submit
memory/1212-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1212-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1212-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1212-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1212-28-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1212-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2348-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2348-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2504-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2504-25-0x0000000003B20000-0x0000000003BB4000-memory.dmp

Filesize
592KB

Download
memory/2504-19-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download