urelas | cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Size

513KB
MD5

ae2d2d119ec1eeb560351d63f29686a0
SHA1

300bb668d1e576c9afa7526b215c1ec8289f0f48
SHA256

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b
SHA512

1434765eb802c8b48c131a0193bdee4d18f7f3fb64843b0095e1c529fa3d0a76bbba8e2d8b5008cd33c82d16b0c9e30fcaf6cdac88b346a735f1088507925e08
SSDEEP

6144:uqXAoQT5Tr9R0HN/3w36EnCYLTczsMr0jnE/QhyjxJBErrZAWkPW5oeNtLjsOidS:BQRI/3w36EnCYckE/iydJai/WZt3

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	riveq.exe
2940	cuofa.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
2736	riveq.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-27-0x0000000002B00000-0x0000000002BB6000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-28.dat	upx
behavioral1/memory/2940-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2940-32-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2940-33-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2940-34-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2940-35-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2940-36-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2940-37-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riveq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuofa.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe
2940	cuofa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2736	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	30
PID 2812 wrote to memory of 2736	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	30
PID 2812 wrote to memory of 2736	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	30
PID 2812 wrote to memory of 2736	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	30
PID 2812 wrote to memory of 2872	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	31
PID 2812 wrote to memory of 2872	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	31
PID 2812 wrote to memory of 2872	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	31
PID 2812 wrote to memory of 2872	2812	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	31
PID 2736 wrote to memory of 2940	2736	riveq.exe	34
PID 2736 wrote to memory of 2940	2736	riveq.exe	34
PID 2736 wrote to memory of 2940	2736	riveq.exe	34
PID 2736 wrote to memory of 2940	2736	riveq.exe	34

C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
"C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\riveq.exe
  "C:\Users\Admin\AppData\Local\Temp\riveq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\cuofa.exe
    "C:\Users\Admin\AppData\Local\Temp\cuofa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
97fd8da4f233438ece45b12adab2f24e

SHA1
1b43e532e19cf207d167f13f7584e0756f6cd6f6

SHA256
36003db861c347b93225fc5b0c564db2511bcdd2658f6fdcdc40dacc7a640db7

SHA512
6a3f7a63b59e9e82ace17e6e5c96b945db6910dcb455715aebd867904d7e7ce1e6f18a3e34a5b82c6dbb193b2794528fabf54cf035f8f189049301486029b5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuofa.exe

Filesize
209KB

MD5
6be890a3a1ef48f9252ced6b8bd4020d

SHA1
516e02cc57f0b9feb1c9d587410d336f445bba2a

SHA256
7cf60cf1ce29a14799f527db28aa3a1197869534eea43b0924220931aeade0cd

SHA512
8fbb3c007c88855ac4a5d90265d042ff0e8d1ec383f8ee3f0a8570438d81350b36ebcafa81e5cef3b4b9d60e84955ef23b47074e5f224c0eb290c226c68c35f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9c2ce71352978ab21e323dd2b8e7c6f1

SHA1
2ac1beecaa16876f45df0fe2505702fb02571c36

SHA256
a6f8907dc06255abf05dba008975269c91cb561cb258f286a1ec8e0b7999f8c1

SHA512
954898c263a3f3b52f309813cac35f896b455e629a7614484113a0cef1ce9ba4f762fc57699795a95e8c9c13ab2dedaf00432543687a587b1a35193d05788c0c

Download Submit
\Users\Admin\AppData\Local\Temp\riveq.exe

Filesize
513KB

MD5
d0c189feffe17789d6d3faa19ddecd7c

SHA1
8e7c3b84aa3e2fd88323a90e8dec8e7176514a73

SHA256
59931817890cdd10aa7818802789d4cae23e56c790273f4a474352b1e8376db8

SHA512
ef98cc8518e4df1a52a98b6ee653393c36fe4b1a3007b65ddeec2f71bfcebbb492b580fbe95e69c316827ba610e96317f5a09f890cf2b2929a7aa08ec3bd5e9b

Download Submit
memory/2736-27-0x0000000002B00000-0x0000000002BB6000-memory.dmp

Filesize
728KB

Download
memory/2736-10-0x0000000000010000-0x0000000000097000-memory.dmp

Filesize
540KB

Download
memory/2736-30-0x0000000000010000-0x0000000000097000-memory.dmp

Filesize
540KB

Download
memory/2736-21-0x0000000000010000-0x0000000000097000-memory.dmp

Filesize
540KB

Download
memory/2812-8-0x0000000002BA0000-0x0000000002C27000-memory.dmp

Filesize
540KB

Download
memory/2812-18-0x00000000002B0000-0x0000000000337000-memory.dmp

Filesize
540KB

Download
memory/2812-0-0x00000000002B0000-0x0000000000337000-memory.dmp

Filesize
540KB

Download
memory/2940-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2940-32-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2940-33-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2940-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2940-35-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2940-36-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2940-37-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download