urelas | 83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe
Size

557KB
MD5

2050e0d2beef8b99c228a4635fecf906
SHA1

a91d4724974124937538e6467b6f03b6c4415d01
SHA256

83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080
SHA512

9876599d9682ed38fd10f4ceca2df1655d8dd947b5122d6705745df547d85cb4a8ebd0403b5e24482ee302f879b0b3b5bf36d339fe805640af23ea69035e9cfd
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyH:znPfQp9L3olqFH

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1788	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1060	cuemg.exe
2816	fixoi.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe
1060	cuemg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0008000000018d68-4.dat	upx
behavioral1/memory/1060-9-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2364-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1060-20-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1060-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuemg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fixoi.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe
2816	fixoi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1060	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	31
PID 2364 wrote to memory of 1060	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	31
PID 2364 wrote to memory of 1060	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	31
PID 2364 wrote to memory of 1060	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	31
PID 2364 wrote to memory of 1788	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	32
PID 2364 wrote to memory of 1788	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	32
PID 2364 wrote to memory of 1788	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	32
PID 2364 wrote to memory of 1788	2364	83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe	32
PID 1060 wrote to memory of 2816	1060	cuemg.exe	34
PID 1060 wrote to memory of 2816	1060	cuemg.exe	34
PID 1060 wrote to memory of 2816	1060	cuemg.exe	34
PID 1060 wrote to memory of 2816	1060	cuemg.exe	34

C:\Users\Admin\AppData\Local\Temp\83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe
"C:\Users\Admin\AppData\Local\Temp\83e21c657b4b81773ba3783cd925aa3451acd334956b9e0a30dcf9186c218080.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\cuemg.exe
  "C:\Users\Admin\AppData\Local\Temp\cuemg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\fixoi.exe
    "C:\Users\Admin\AppData\Local\Temp\fixoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6bafa10fdc80f8ecadecf51f5d45d2b9

SHA1
ece737d58d1b452876a1b61618f56adf0b10732f

SHA256
3bffd44b2d1df3ee50aed370a52ada4204d527b48423231178367cb9d96188bb

SHA512
498c70ec60b77c1848278685ea3294094f6a313ca6c519eeb3941324c8dfd3966607ae331a7be8571e48e6962c1d45c89939a7bab383eaba2e9eb5677ab39323

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8f2d1b73f84fbcea7432c01e84470494

SHA1
002c3d234a0c6b49435e17d46d8609b89f00cba2

SHA256
6a0d65747b18f46d8fb9693213a329fbabcf37b617cf4166e2eb9f4716f049b1

SHA512
792ed6f306f78d79169a9bcc39285217dac9854dfc3e09c251eab1444aa7bf01d879bde4f7ec5f2b0f1c5b705bb1d7fe0a200f474b3feb609b45720919e5a3fe

Download Submit
\Users\Admin\AppData\Local\Temp\cuemg.exe

Filesize
557KB

MD5
f07983687d5c210744cafa87d43c8730

SHA1
ec2688839947b0bd4b9a110fd14cb13cb5265baf

SHA256
c6ff2315bf14898d8bcd5381ffad7b27b91d4523b9e89943a883949fa28ad5bc

SHA512
c834f086b6913017f66fdf4a8a32b8ea0a3a29eb55e2142ae48a2f76877a26288a84db1b995a2a271c2e8fff3e56fb3349b93e69de12dbe898c98722131ce8c1

Download Submit
\Users\Admin\AppData\Local\Temp\fixoi.exe

Filesize
194KB

MD5
7f3a1b31f517124efd99b5d16bc62c74

SHA1
61910664d5bd89d16b8bbab4666d303b5312a857

SHA256
1eb5ea41cde3c65bcd3b1612ac4adeece9b453608806e36c387396f08f2b8fd7

SHA512
319aa86667735d105d716a3115905c44ab7948fcf15661680d3e96f1212386db82179ae6d6c193fb0c4095538fe957b7c46604779be8e91967efa7b3c644a7da

Download Submit
memory/1060-25-0x0000000003170000-0x0000000003204000-memory.dmp

Filesize
592KB

Download
memory/1060-9-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1060-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1060-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2364-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2364-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2816-29-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2816-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2816-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2816-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2816-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2816-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download