urelas | 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Size

6.5MB
MD5

5a0997fb887c620d2815135e9a8f9e00
SHA1

b60b295c2ee512364978eb9d0dad3de46ab91a80
SHA256

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47
SHA512

99eaa2bd1e12fa9f07458930e59b66fa5e9370983df605189c6b2dc147a2389c0bf668bed010512b432f705635fa071359dbd6ae499ee7653e2649a100b70b68
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSq:i0LrA2kHKQHNk3og9unipQyOaOq

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2812	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

ezyph.exegeuscu.exeacxoz.exe

pid	Process
2716	ezyph.exe
2604	geuscu.exe
1756	acxoz.exe

Loads dropped DLL 5 IoCs

Processes:

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exeezyph.exegeuscu.exe

pid	Process
2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
2716	ezyph.exe
2716	ezyph.exe
2604	geuscu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000800000001926b-158.dat	upx
behavioral1/memory/1756-164-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1756-175-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ezyph.execmd.exegeuscu.exeacxoz.execmd.exe7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezyph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geuscu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acxoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exeezyph.exegeuscu.exeacxoz.exe

pid	Process
2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
2716	ezyph.exe
2604	geuscu.exe
1756	acxoz.exe
1756	acxoz.exe
1756	acxoz.exe
1756	acxoz.exe
1756	acxoz.exe
1756	acxoz.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exeezyph.exegeuscu.exe

description	pid	Process	procid_target
PID 2252 wrote to memory of 2716	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2252 wrote to memory of 2716	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2252 wrote to memory of 2716	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2252 wrote to memory of 2716	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2252 wrote to memory of 2812	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2252 wrote to memory of 2812	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2252 wrote to memory of 2812	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2252 wrote to memory of 2812	2252	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2716 wrote to memory of 2604	2716	ezyph.exe	33
PID 2716 wrote to memory of 2604	2716	ezyph.exe	33
PID 2716 wrote to memory of 2604	2716	ezyph.exe	33
PID 2716 wrote to memory of 2604	2716	ezyph.exe	33
PID 2604 wrote to memory of 1756	2604	geuscu.exe	35
PID 2604 wrote to memory of 1756	2604	geuscu.exe	35
PID 2604 wrote to memory of 1756	2604	geuscu.exe	35
PID 2604 wrote to memory of 1756	2604	geuscu.exe	35
PID 2604 wrote to memory of 1532	2604	geuscu.exe	36
PID 2604 wrote to memory of 1532	2604	geuscu.exe	36
PID 2604 wrote to memory of 1532	2604	geuscu.exe	36
PID 2604 wrote to memory of 1532	2604	geuscu.exe	36

C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
"C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\ezyph.exe
  "C:\Users\Admin\AppData\Local\Temp\ezyph.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\geuscu.exe
    "C:\Users\Admin\AppData\Local\Temp\geuscu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\acxoz.exe
      "C:\Users\Admin\AppData\Local\Temp\acxoz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cb5f4980985301c0b476c0eb83f376a9

SHA1
9d1ad4da66e053e26e9e286a87fe1663b6646c0a

SHA256
899f0c6961652c0f539bfa42ccb5994d609f832098c53461923be4e82ea4760c

SHA512
82f47b5dab87f040faaabcfcfa17c986ffb70d198153cc54e0a8fff4fe2ae6a68cd18c108b73a79f06f8c46b484d5a4504302127a8427d9f97535ba056c371cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
aefef7aa7f0199676941b34c9df61960

SHA1
434c6975ecf2b18e57feb8c0d8b5e77cb744b8ea

SHA256
1da8dec5db869ff91420ce9c81579acbae649d5954905f91fb8987b0ff09eb79

SHA512
811b8508670f8680449aa1d13f1b7db5faeaf67cc228f34afa3f765df9582491b36a5df29518eff1290d616b1daddf41672aa57dd884831cda5a16a092ae2826

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezyph.exe

Filesize
6.5MB

MD5
8ca42c79ffad725f8b247c2b684ecff5

SHA1
e931b35c59a369d7f74b3bcf7b3a2ac13b41e922

SHA256
6f0b8bceff554171eefaf479a11f346a99ae403d1e156912c2f4560595040169

SHA512
33feef0b2adcfd84a06949262aeec653f63912fcf2a3dff20369bd964a3791e8f6feacf6350fb92d779b58c8e2406016ec2b4abc82d2e208933be740b4331ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aec53fdedb902680b6206f39f900c1d2

SHA1
23eaa3bf84c9bfa6830b3889a0d868e36a03480b

SHA256
31e009b401d2e278e14bdf02a160f3da1750e0cab7544d0ea871fba91da2b3f7

SHA512
5e8ec4e38186405761b6594e19ca55bae22acb5d7ac3c80cfbf7af5944f54f8f621ac0ed763f5b65d64265a3e7e265e2a932626dc9d58d3b173b67a766fbc4db

Download Submit
\Users\Admin\AppData\Local\Temp\acxoz.exe

Filesize
459KB

MD5
bccd3dc3f93f985b614424460afd03e3

SHA1
3141fcf6d2886c0264a2df97a4332a1ed33a8c63

SHA256
346ed3e670b405bf18bb32a61b52da54d83e953eadf66845f6d96a7282bbeaf0

SHA512
8e7618cf75166c8f37109b2cadaef2a86459b6736d4afe295ae38962b0f782113987618bce927bf330f891ec59427edd751e90fa1d5fa80968b8617c07c43f37

Download Submit
memory/1756-175-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1756-164-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2252-53-0x0000000003FC0000-0x0000000004AAC000-memory.dmp

Filesize
10.9MB

Download
memory/2252-79-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2252-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2252-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2252-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2252-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2252-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2252-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2252-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2252-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2252-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2252-43-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2252-20-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2252-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2252-23-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2252-61-0x0000000003FC0000-0x0000000004AAC000-memory.dmp

Filesize
10.9MB

Download
memory/2252-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2252-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2252-25-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2252-35-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2252-33-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2252-30-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2252-28-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2252-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2604-154-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2604-163-0x00000000047A0000-0x0000000004939000-memory.dmp

Filesize
1.6MB

Download
memory/2604-173-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2716-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2716-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2716-114-0x00000000042A0000-0x0000000004D8C000-memory.dmp

Filesize
10.9MB

Download
memory/2716-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2716-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2716-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2716-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2716-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download