urelas | f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Size

6.5MB
MD5

897f9c7d871aa6cfee73a8a226b2ce00
SHA1

71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
SHA256

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
SHA512

d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2764	muguw.exe
556	vymidi.exe
1320	uqpik.exe

Loads dropped DLL 5 IoCs

pid	Process
2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
2764	muguw.exe
2764	muguw.exe
556	vymidi.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018696-155.dat	upx
behavioral1/memory/1320-161-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/556-159-0x0000000004830000-0x00000000049C9000-memory.dmp	upx
behavioral1/memory/1320-173-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vymidi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqpik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muguw.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
2764	muguw.exe
556	vymidi.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe
1320	uqpik.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2764	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	31
PID 2012 wrote to memory of 2764	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	31
PID 2012 wrote to memory of 2764	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	31
PID 2012 wrote to memory of 2764	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	31
PID 2012 wrote to memory of 2416	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	32
PID 2012 wrote to memory of 2416	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	32
PID 2012 wrote to memory of 2416	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	32
PID 2012 wrote to memory of 2416	2012	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	32
PID 2764 wrote to memory of 556	2764	muguw.exe	34
PID 2764 wrote to memory of 556	2764	muguw.exe	34
PID 2764 wrote to memory of 556	2764	muguw.exe	34
PID 2764 wrote to memory of 556	2764	muguw.exe	34
PID 556 wrote to memory of 1320	556	vymidi.exe	35
PID 556 wrote to memory of 1320	556	vymidi.exe	35
PID 556 wrote to memory of 1320	556	vymidi.exe	35
PID 556 wrote to memory of 1320	556	vymidi.exe	35
PID 556 wrote to memory of 904	556	vymidi.exe	36
PID 556 wrote to memory of 904	556	vymidi.exe	36
PID 556 wrote to memory of 904	556	vymidi.exe	36
PID 556 wrote to memory of 904	556	vymidi.exe	36

C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\muguw.exe
  "C:\Users\Admin\AppData\Local\Temp\muguw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\vymidi.exe
    "C:\Users\Admin\AppData\Local\Temp\vymidi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\uqpik.exe
      "C:\Users\Admin\AppData\Local\Temp\uqpik.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
42071b4999964ac7ea4dbb20bb222108

SHA1
cd8e664ffc1e9f93e95f718a5665198b3d9fe8b3

SHA256
f7a72cc9635629405fa8eebc4df07ee04fc876886a0603f0ec11854b0489470a

SHA512
02e2e63a4143dd7ee2888e75cea4ff1df9dba4d90e5023e9b7c6f2e59725a54afcac3af329d246d0c955052d18afef1b6591fddc5930493949b08be5bad654e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
99c774238dde8dcabbcbd9218b3186a0

SHA1
db3cc894f3457dd2a28d2bf15c63159c4c8b634e

SHA256
cbe3415c7e081687de8473980ee98e6271e9b9fc9a07c91d1ea3858ba29b270e

SHA512
6863c40cd29af1e5074269dbd77e493ebc527a4e065166a55abeee892cbf121cf22cbda37f5cf3f92e4bcf1a86b82db95f0312f51f1e69482570b9b212bd6430

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d4d72072a4459bd23dc157e9b34d9308

SHA1
051a612da8800b8950d31e7e9dead80661bc4221

SHA256
96cb9ba56f79dc03526c47587e3095e276a6a748c203d6b998194b83cb13b488

SHA512
d13b9ef5a7ef0a4b4efcb0c5e93ad34a11e8a9441c79680b0f744a22a120cb54c199e17b352c6eaa3c0beae9fe59b5b401d625fa6b79aeff7ed7b11d3d6fddf4

Download Submit
\Users\Admin\AppData\Local\Temp\muguw.exe

Filesize
6.5MB

MD5
a0e84ab1801d7a0920a35da12e3abc88

SHA1
22c08f978e2449ee84c3bca25ddad5feeb36cae0

SHA256
51d71a3417a83f858aad42d3d3fce612e8fcec25e95564a63858620a77a92b2a

SHA512
568d4f0cfc98550dd48b4b618a06cb93b76e8ac5353bb7f69678400d6012721d2f10d51d08100a0440dae5c17327e744ba4f8779264213b51ad348f5b8eddd51

Download Submit
\Users\Admin\AppData\Local\Temp\uqpik.exe

Filesize
459KB

MD5
f6a0f494683a9120917957390f99d593

SHA1
2aff38f093b37ab29f8d0149ca8a723c7912d9ad

SHA256
ed564f706daa3f2d111df4e22cfb5a03138cd44150e556cc655c4c582cb8947b

SHA512
0fae46b06c539536b9423346a89376c3ed7fad04000922d5a1df97b7ad6ce269a8ae5736c6f9799cb4e5f66733417d52fd979b8f80239e3f53635df7223f524d

Download Submit
memory/556-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/556-159-0x0000000004830000-0x00000000049C9000-memory.dmp

Filesize
1.6MB

Download
memory/556-151-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1320-173-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1320-161-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2012-60-0x0000000004020000-0x0000000004B0C000-memory.dmp

Filesize
10.9MB

Download
memory/2012-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2012-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2012-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2012-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2012-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2012-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2012-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2012-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2012-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2012-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2012-51-0x0000000004020000-0x0000000004B0C000-memory.dmp

Filesize
10.9MB

Download
memory/2012-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2012-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2012-62-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2012-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2012-36-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2012-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2012-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2012-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2012-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2012-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2012-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2012-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2012-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2764-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2764-76-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2764-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2764-111-0x0000000004440000-0x0000000004F2C000-memory.dmp

Filesize
10.9MB

Download
memory/2764-78-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2764-81-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2764-83-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2764-86-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2764-88-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2764-71-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2764-66-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2764-68-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download