urelas | 511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe
Size

767KB
MD5

10d26efc25912c1a8778c55bca3e52d3
SHA1

3d37d07d76ac65d1b741f988cd054e39f13b1299
SHA256

511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48
SHA512

b890cd6f0c3c601328da33f1bbb2b5ff6ce46ac44b48edbb97666c6787ea15f6647475e88b3806a37def059cb452d2023dc0c7c2ebd1d8e4bf5c39f8c9b1f51d
SSDEEP

12288:Al+ZmuQEpbjNpTa9nzuRbBUHUpRAwHPf4us8v1TCo31rvMO8qgsgVIoSUhibNqzw:5jpUqBUKQubvx3FvM5qehib+f3NBmnbT

Score

10^/10

urelas discovery trojan upx

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2468	fylel.exe
3036	gefom.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe
2468	fylel.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-0-0x0000000000400000-0x0000000000614000-memory.dmp	upx
behavioral1/files/0x0009000000016af7-4.dat	upx
behavioral1/memory/2468-10-0x0000000000400000-0x0000000000614000-memory.dmp	upx
behavioral1/memory/2520-18-0x0000000000400000-0x0000000000614000-memory.dmp	upx
behavioral1/memory/2468-21-0x0000000000400000-0x0000000000614000-memory.dmp	upx
behavioral1/memory/2468-34-0x00000000030A0000-0x0000000003134000-memory.dmp	upx
behavioral1/memory/2468-42-0x0000000000400000-0x0000000000614000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fylel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gefom.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe
3036	gefom.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3036	gefom.exe
Token: SeIncBasePriorityPrivilege	3036	gefom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2468	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	30
PID 2520 wrote to memory of 2468	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	30
PID 2520 wrote to memory of 2468	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	30
PID 2520 wrote to memory of 2468	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	30
PID 2520 wrote to memory of 2588	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	31
PID 2520 wrote to memory of 2588	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	31
PID 2520 wrote to memory of 2588	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	31
PID 2520 wrote to memory of 2588	2520	511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe	31
PID 2468 wrote to memory of 3036	2468	fylel.exe	34
PID 2468 wrote to memory of 3036	2468	fylel.exe	34
PID 2468 wrote to memory of 3036	2468	fylel.exe	34
PID 2468 wrote to memory of 3036	2468	fylel.exe	34

C:\Users\Admin\AppData\Local\Temp\511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe
"C:\Users\Admin\AppData\Local\Temp\511677b39d2ff65ba9ed5a6e3f40cc92966a43cb91c7ccc48593fab2521c8e48.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\fylel.exe
  "C:\Users\Admin\AppData\Local\Temp\fylel.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\gefom.exe
    "C:\Users\Admin\AppData\Local\Temp\gefom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
7e8faf121ebd060bfbfd41c74053e865

SHA1
e3efc982b1b4d1c8aebb6bb5cb5d98a56566766b

SHA256
79280697856d004e520af0e6111062354406eab4d673aaf4694a610080e45418

SHA512
2a8fa6cdc6046e296e29b82c69af06b0b3021edb662f74a6e42301a8defbef54b3b8e0b51cc748abdd0ea7a944cb911b270bd45d8f411cafc78f36468aa3872f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
013a9254955d3ed5ed4b5da0905f8fda

SHA1
f1e38de160a3e1ce9b5f7b4c96e5a9f31cc9bbbd

SHA256
6927476700a4757a042ff69db633c01182c94ab5d9205b41d0696cf5a5438559

SHA512
486c1aa3aebf4ab874aa826579870ba3a40381f8748c4ebbfd98f825c78f68ec534ca31bc5c076891235f4aee746bec1e01daa33b09ec98393dd8ece0d025202

Download Submit
\Users\Admin\AppData\Local\Temp\fylel.exe

Filesize
767KB

MD5
a369d3aa96772e499434aeb219458755

SHA1
2400757ff88b2fec51f9923657d8064068155b20

SHA256
89b4f706f77fbb5d0749a1a856d3c967e534cd11a4243ec68e0c1f5492aca257

SHA512
b7f03ebbc6ee55d1bcbe0490d40ca91238a82f355cf83227eaf0656c20acf67d4eddb1185e4f3971cdbe782773be4bfd7c78814785533944f8e18777547b6b2c

Download Submit
\Users\Admin\AppData\Local\Temp\gefom.exe

Filesize
301KB

MD5
e80269f27a1729edce0c386804fd4b67

SHA1
3383173626ad97dfbc4d39389604f48537bba9a7

SHA256
53a30472e1d9be9b44eb99065286ca4ef3182462e96e4a4d031e99bf4ad246d7

SHA512
8e38e85a29920e14ca03b768075fc4fa04914f7b284f2000b2c5c3160c2f7a2325d0297cb4c820b62fb47a897605ff8e00243a4f06811a39b629d96c9caa6478

Download Submit
memory/2468-10-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2468-42-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2468-34-0x00000000030A0000-0x0000000003134000-memory.dmp

Filesize
592KB

Download
memory/2468-21-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2520-9-0x0000000002C90000-0x0000000002EA4000-memory.dmp

Filesize
2.1MB

Download
memory/2520-18-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2520-0-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/3036-40-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/3036-37-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/3036-44-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/3036-45-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/3036-46-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/3036-47-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/3036-48-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download