urelas | 44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c

Analysis

max time kernel
119s
max time network
58s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Size

660KB
MD5

a6266879bf0a44e874cd31d192bdf5f6
SHA1

9de67ceec7bdf912b1d798fbd19420529e379625
SHA256

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c
SHA512

d242b534f687127566973a8cb9357ae906d43f3b03b99e6127bb174ef1a1ad98b496a5a1d6cd3d64d294aad62bdbef7bcb6a3fe4ed1eed1d57342d8bd0b85244
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqL+:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0Y

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	ynybs.exe
2916	lyybk.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
2300	ynybs.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2272-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/files/0x000800000001941b-4.dat	upx
behavioral1/memory/2300-17-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2272-18-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2300-21-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-24.dat	upx
behavioral1/memory/2300-26-0x00000000032C0000-0x000000000337A000-memory.dmp	upx
behavioral1/memory/2916-30-0x0000000001380000-0x000000000143A000-memory.dmp	upx
behavioral1/memory/2300-29-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2916-31-0x0000000001380000-0x000000000143A000-memory.dmp	upx
behavioral1/memory/2916-32-0x0000000001380000-0x000000000143A000-memory.dmp	upx
behavioral1/memory/2916-33-0x0000000001380000-0x000000000143A000-memory.dmp	upx
behavioral1/memory/2916-34-0x0000000001380000-0x000000000143A000-memory.dmp	upx
behavioral1/memory/2916-35-0x0000000001380000-0x000000000143A000-memory.dmp	upx
behavioral1/memory/2916-36-0x0000000001380000-0x000000000143A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynybs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyybk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
2300	ynybs.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe
2916	lyybk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2300	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2272 wrote to memory of 2300	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2272 wrote to memory of 2300	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2272 wrote to memory of 2300	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2272 wrote to memory of 2208	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	32
PID 2272 wrote to memory of 2208	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	32
PID 2272 wrote to memory of 2208	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	32
PID 2272 wrote to memory of 2208	2272	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	32
PID 2300 wrote to memory of 2916	2300	ynybs.exe	34
PID 2300 wrote to memory of 2916	2300	ynybs.exe	34
PID 2300 wrote to memory of 2916	2300	ynybs.exe	34
PID 2300 wrote to memory of 2916	2300	ynybs.exe	34

C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
"C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\ynybs.exe
  "C:\Users\Admin\AppData\Local\Temp\ynybs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\lyybk.exe
    "C:\Users\Admin\AppData\Local\Temp\lyybk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
b23e7f2f3c58c3d21b81b382cba96da4

SHA1
780679cc0d062f165ac6ef06869f105c70675291

SHA256
96d14de4bb9c7ddf259885a0f6d3f22a37c193ed453824e0048d81f5cda23f2d

SHA512
e212967f932797035c0e48efa1d4fb0441304e1f074367ddfd20f2d404224f5729d7fde5feb54076fb1940674c381ed16a89df04bb20d170df2f881b78ec9b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8b197fe91fe3ecd347ad37293ff1d72d

SHA1
a6f6d71324999353dba67daa73d6b6e6fb0fdacb

SHA256
71c0a1df8e2f384b24916a9dedec268a11369a49e98ad5f254efcf1dd0527095

SHA512
0cdf782ebbf29d2fafa43284d770a38fbd834dda7bfb47527ca94ad4e9ea6e66b8643f78a2ee3e120b11fbb40f846b3b6589aa3f81f7b1b722a82fca456e5e35

Download Submit
\Users\Admin\AppData\Local\Temp\lyybk.exe

Filesize
243KB

MD5
f6cb6a87ff5ffe84d7308b6b34273705

SHA1
26eebd299c6afe61ae7bc09aabb92faa7f71a322

SHA256
7ff642c4a2807cb10e80ff01eed4cf1aa42ee6ecfd809f039509b79297ff4bdd

SHA512
bc9d21b7c3b5ebfb703cdc648f767227c2f4f3fd16249d065aae2fe4fbca69cc345229239eec2ff7cac835e9e32bcd518f35cc79464ff4b4205456e6bc99012b

Download Submit
\Users\Admin\AppData\Local\Temp\ynybs.exe

Filesize
660KB

MD5
dcc3a155c25c351cb469fb6dd0d8089a

SHA1
695c5dec02f4bc8e9ce82320692fb690f7e211c0

SHA256
6ad0f764bb086b6603ff06d348230987d1827d6e9c6744546dd0ff9ea33a9018

SHA512
beba4cefae34ed42cb9d39dc2b33dc24951543c77232df7a86a341634267625e0ffc8dd38b522bb6cfdf4301541a6647f1e22c8475f4df55fc76d3442717f5e7

Download Submit
memory/2272-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2272-16-0x0000000002A70000-0x0000000002B15000-memory.dmp

Filesize
660KB

Download
memory/2272-18-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2300-26-0x00000000032C0000-0x000000000337A000-memory.dmp

Filesize
744KB

Download
memory/2300-21-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2300-17-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2300-29-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2916-30-0x0000000001380000-0x000000000143A000-memory.dmp

Filesize
744KB

Download
memory/2916-31-0x0000000001380000-0x000000000143A000-memory.dmp

Filesize
744KB

Download
memory/2916-32-0x0000000001380000-0x000000000143A000-memory.dmp

Filesize
744KB

Download
memory/2916-33-0x0000000001380000-0x000000000143A000-memory.dmp

Filesize
744KB

Download
memory/2916-34-0x0000000001380000-0x000000000143A000-memory.dmp

Filesize
744KB

Download
memory/2916-35-0x0000000001380000-0x000000000143A000-memory.dmp

Filesize
744KB

Download
memory/2916-36-0x0000000001380000-0x000000000143A000-memory.dmp

Filesize
744KB

Download