urelas | cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
Size

555KB
MD5

49578e06b681e1ad56ca5fd417aef0fb
SHA1

e6cbb060c5ab504f2ec3f2cc2f621eaed907727d
SHA256

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52
SHA512

75f26a3d205875d322337b5398b8627e77690d8c52f8db73e4391b846d0101f8a1fc4569d3d7ba0b209d7d8af1a2c730dc59f0f4f0115da1ed7460e879907471
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2168	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	rysok.exe
2800	isxom.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
2796	rysok.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2160-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x002e0000000160e7-8.dat	upx
behavioral1/memory/2160-9-0x0000000002AC0000-0x0000000002B76000-memory.dmp	upx
behavioral1/memory/2160-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2796-20-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2796-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isxom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rysok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe
2800	isxom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2796	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	30
PID 2160 wrote to memory of 2796	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	30
PID 2160 wrote to memory of 2796	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	30
PID 2160 wrote to memory of 2796	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	30
PID 2160 wrote to memory of 2168	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	31
PID 2160 wrote to memory of 2168	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	31
PID 2160 wrote to memory of 2168	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	31
PID 2160 wrote to memory of 2168	2160	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	31
PID 2796 wrote to memory of 2800	2796	rysok.exe	34
PID 2796 wrote to memory of 2800	2796	rysok.exe	34
PID 2796 wrote to memory of 2800	2796	rysok.exe	34
PID 2796 wrote to memory of 2800	2796	rysok.exe	34

C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
"C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\rysok.exe
  "C:\Users\Admin\AppData\Local\Temp\rysok.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\isxom.exe
    "C:\Users\Admin\AppData\Local\Temp\isxom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
16f866800d1bce0d461c4bf1d5cc826c

SHA1
dbdd17e36e972d424cd619b2deca408138b4a533

SHA256
f5422ceeba01071192926f939989bfd89156fcaa4cf7f586897de881ee34b1c8

SHA512
5dd2deb742a6250871301e90321cac04eba0fbc8e009bd506712159646a00e327f97efc2c2c3461ca2d325e151e0af7a4f739f22613705eb889faeb8b5b7acfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a947a71b9986a410429bc6893759f4bb

SHA1
cf663733652a074ccc8cbbde85b1f3508272e0d9

SHA256
6a82e67e444af12bc905d89fca84669ff4397488ee3cf2dd3688f5a57aea473d

SHA512
e33ac8ca6a0032d327b2f2d99ff8009fdaca5d605d58f355bdec93139cd08980c9bea7c438f2001659de052025bcd96580fb855eedb873903ca99cd80ce726ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\rysok.exe

Filesize
555KB

MD5
442dbc757224dbff47d5318ec213e1c8

SHA1
3915e3b30a772b2fb1e3cf93ac3d33b3e20d6c81

SHA256
9223a9569691ac112e9358e4801e34a1be6a655219edbddfa3f6bf2d4376d0b0

SHA512
00ac5c796ac75f9818f1eb04d0475159a5cfae251489162de9810eab42ebeaf21a255b970bd3c11aef9e691b52a0829846d60b763f9ea63f20c11b83991e53d5

Download Submit
\Users\Admin\AppData\Local\Temp\isxom.exe

Filesize
194KB

MD5
db1c324a497f04e91b2aac04fe4eff68

SHA1
f384d8fb812ba094954012574727434a73c495f4

SHA256
80a9a05a4967af36010f1ac1a8bc3623b740118f45b1b227442970ebe0ce097a

SHA512
f35ae5f69911cbc74d9fad5f2ac85214ff9156f6bd061f4460d8d95ccf71f96a26104dcf7d6fd02bc89a1d09230c4f54745ed6070642b8d4075d6f32b619f41b

Download Submit
memory/2160-9-0x0000000002AC0000-0x0000000002B76000-memory.dmp

Filesize
728KB

Download
memory/2160-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2160-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2796-25-0x0000000002E10000-0x0000000002EA4000-memory.dmp

Filesize
592KB

Download
memory/2796-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2796-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2800-29-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2800-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2800-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2800-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2800-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2800-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download