urelas | 44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Size

660KB
MD5

a6266879bf0a44e874cd31d192bdf5f6
SHA1

9de67ceec7bdf912b1d798fbd19420529e379625
SHA256

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c
SHA512

d242b534f687127566973a8cb9357ae906d43f3b03b99e6127bb174ef1a1ad98b496a5a1d6cd3d64d294aad62bdbef7bcb6a3fe4ed1eed1d57342d8bd0b85244
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqL+:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0Y

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	siqox.exe
772	letyf.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
2760	siqox.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/files/0x0012000000016d52-4.dat	upx
behavioral1/memory/2760-10-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2872-18-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2760-21-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/files/0x0009000000016d64-24.dat	upx
behavioral1/memory/2760-29-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/772-30-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-31-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-32-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-33-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-34-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-35-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-36-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-37-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-38-0x00000000002A0000-0x000000000035A000-memory.dmp	upx
behavioral1/memory/772-39-0x00000000002A0000-0x000000000035A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siqox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
2760	siqox.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe
772	letyf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2760	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	30
PID 2872 wrote to memory of 2760	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	30
PID 2872 wrote to memory of 2760	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	30
PID 2872 wrote to memory of 2760	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	30
PID 2872 wrote to memory of 2796	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2872 wrote to memory of 2796	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2872 wrote to memory of 2796	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2872 wrote to memory of 2796	2872	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	31
PID 2760 wrote to memory of 772	2760	siqox.exe	33
PID 2760 wrote to memory of 772	2760	siqox.exe	33
PID 2760 wrote to memory of 772	2760	siqox.exe	33
PID 2760 wrote to memory of 772	2760	siqox.exe	33

C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
"C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\siqox.exe
  "C:\Users\Admin\AppData\Local\Temp\siqox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\letyf.exe
    "C:\Users\Admin\AppData\Local\Temp\letyf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
b23e7f2f3c58c3d21b81b382cba96da4

SHA1
780679cc0d062f165ac6ef06869f105c70675291

SHA256
96d14de4bb9c7ddf259885a0f6d3f22a37c193ed453824e0048d81f5cda23f2d

SHA512
e212967f932797035c0e48efa1d4fb0441304e1f074367ddfd20f2d404224f5729d7fde5feb54076fb1940674c381ed16a89df04bb20d170df2f881b78ec9b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4c2134193bcc57a2fe7210778bf90f12

SHA1
cfaf24ea9ac86be1c35abd1dcbba85981220c466

SHA256
bac246bb0083f68cab91168c7444a0d966f2c2c6c19be08a2e991966006c35ee

SHA512
7a8036227d48a3d7c3975aa0127fdb07ecd6e67e4dd41998af860eb1b49cd676a708bf27d336564302b7902605adf8fed4274a3610241168c8b19563b95c50a2

Download Submit
\Users\Admin\AppData\Local\Temp\letyf.exe

Filesize
243KB

MD5
3602f6e41bafba7d6e769ffd527c7f57

SHA1
3553ee6ca762c956acac1d77515ab356612fd590

SHA256
6731c2373f7729e0795e27136c8b637a0cce8bbe4771bce5c47e32237a3f5063

SHA512
ba6735ee9db6037ffbb355a8d6f32ea26fd335b8d8b3abc5949888b9a838ad91114bc4416f86b72f7c8b3cf84d429c019ff2c92fe8e5ebc4b6512306b18adc0f

Download Submit
\Users\Admin\AppData\Local\Temp\siqox.exe

Filesize
660KB

MD5
5b8d3e2fb58c36b74228472371a8d8a6

SHA1
dc2ea09a1ca950d17248a8df9742a7948a37e2fb

SHA256
914925428eb3e4219a7acbf5bfbf6164edeb2fd136d04040b0432dbcbec1a0f8

SHA512
1661ec434ec6c2b3541053686c65d612457ec9b87c81b9824dc16ff293272f82987ee70e6e41d0a4ddf6f4c67a793e9702a2a4c9bef049e1ee307b41594c8e89

Download Submit
memory/772-38-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-37-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-33-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-36-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-39-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-35-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-34-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-30-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-31-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/772-32-0x00000000002A0000-0x000000000035A000-memory.dmp

Filesize
744KB

Download
memory/2760-27-0x0000000003260000-0x000000000331A000-memory.dmp

Filesize
744KB

Download
memory/2760-29-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2760-21-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2760-10-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2872-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2872-18-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2872-8-0x00000000025D0000-0x0000000002675000-memory.dmp

Filesize
660KB

Download