urelas | d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
Size

6.5MB
MD5

106e3af15846334c1edb74dd2ffc3391
SHA1

5bf4021ee7e67ad451fca8881c8aed3a2d9ec819
SHA256

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3
SHA512

d1a9780c55d37a2f0294a49df526cb691083f9721e4ea2bee38b552990d8a096b83b477f185066d197db8781d925e19e0445870be1df1de89cfc3f1a55a2d3c0
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS8u:i0LrA2kHKQHNk3og9unipQyOaOt

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3056	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

lubyn.exegoycno.exevovic.exe

pid	Process
2192	lubyn.exe
2120	goycno.exe
2344	vovic.exe

Loads dropped DLL 5 IoCs

Processes:

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exelubyn.exegoycno.exe

pid	Process
2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
2192	lubyn.exe
2192	lubyn.exe
2120	goycno.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015d87-155.dat	upx
behavioral1/memory/2344-168-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2344-173-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.execmd.exelubyn.exegoycno.exevovic.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lubyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goycno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vovic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exelubyn.exegoycno.exevovic.exe

pid	Process
2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
2192	lubyn.exe
2120	goycno.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe
2344	vovic.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exelubyn.exegoycno.exe

description	pid	Process	procid_target
PID 2912 wrote to memory of 2192	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	28
PID 2912 wrote to memory of 2192	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	28
PID 2912 wrote to memory of 2192	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	28
PID 2912 wrote to memory of 2192	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	28
PID 2912 wrote to memory of 3056	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	29
PID 2912 wrote to memory of 3056	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	29
PID 2912 wrote to memory of 3056	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	29
PID 2912 wrote to memory of 3056	2912	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	29
PID 2192 wrote to memory of 2120	2192	lubyn.exe	31
PID 2192 wrote to memory of 2120	2192	lubyn.exe	31
PID 2192 wrote to memory of 2120	2192	lubyn.exe	31
PID 2192 wrote to memory of 2120	2192	lubyn.exe	31
PID 2120 wrote to memory of 2344	2120	goycno.exe	34
PID 2120 wrote to memory of 2344	2120	goycno.exe	34
PID 2120 wrote to memory of 2344	2120	goycno.exe	34
PID 2120 wrote to memory of 2344	2120	goycno.exe	34
PID 2120 wrote to memory of 108	2120	goycno.exe	35
PID 2120 wrote to memory of 108	2120	goycno.exe	35
PID 2120 wrote to memory of 108	2120	goycno.exe	35
PID 2120 wrote to memory of 108	2120	goycno.exe	35

C:\Users\Admin\AppData\Local\Temp\d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
"C:\Users\Admin\AppData\Local\Temp\d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\lubyn.exe
  "C:\Users\Admin\AppData\Local\Temp\lubyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\goycno.exe
    "C:\Users\Admin\AppData\Local\Temp\goycno.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\vovic.exe
      "C:\Users\Admin\AppData\Local\Temp\vovic.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
dad1a649747ac37c26732a5c80fe6f96

SHA1
54b4e35edf41c9c3d050e99d8ceabda0252d0abb

SHA256
aaab478084aae124e0fa68af6041d7609beb40068863f75d32c83e9209f0a9e5

SHA512
2bc88aba84a1b24852f6b1c3e29635230d7ab002c972899135ffbd18742d2bf53b155175a872eb755482183d0e73686839b074613d01c568a74bcce084cfe530

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
2179e03e2b7dc6367d2ce5113a197399

SHA1
9fa5b7feee4d01e89fb650d6b8b72f8947a7c331

SHA256
3d34270a71ba2a5fb3067d3c0afc7648dfd781c695969d53875ea7a437fb1142

SHA512
f185bb0cd19abd34a2ce0278694a885c38e40502ecf2b81c2812320fcd767d788241ed463b25536e142cf9117d1123ce6c9164f6be79d7bb98f0e666417705b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
926fd4cabc575bbf1a99ba7321fd4225

SHA1
d8706e9f8fdc8004e681595ff8bcd6c82f8fb4b4

SHA256
83d6508a776cfa63cd7f752745090b5647b2b47a4a485809712879b4130bc5a8

SHA512
9fff01947afb7ae302fffc3e53ab4e3adb71de696c57ed5f77516268c581dece413c89bb18c32baba2a68e9845f62bc985afd7596fdfe97c121471b1a16b5e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\lubyn.exe

Filesize
6.5MB

MD5
4fbf68b8f9ca1ace7901bc6745a85a44

SHA1
aa59c74ae52bb4812851f1c9978d7be0cdd5a9f3

SHA256
7cdaee3923f6d770e762dc56f3466ce20ad9a927b7feda058459026c241fb829

SHA512
d524e113083c2d897924aa604c3fd5a1d63b045093bc74029aaa10e515491c95f880408c444902b04e2ec5340a4946ad1f5266cbcfc728467c300b89c98c92dc

Download Submit
\Users\Admin\AppData\Local\Temp\vovic.exe

Filesize
459KB

MD5
2ff0b290e6520926d99166e16a369a1f

SHA1
781b87cb9e309d417ea1e1ce52dd462a23801d98

SHA256
3b4885150abc209d288788c6143a384223e5a639c2b39989ecb9f834edbcefd0

SHA512
f080bf4f8e0b0613651400997c58e0302b467df5645af7509fbd215a2353b43066d0ac23c5ff1a33101178fc98e83fb12429cb25b3f18accaf46e86fccc01172

Download Submit
memory/2120-159-0x0000000004AA0000-0x0000000004C39000-memory.dmp

Filesize
1.6MB

Download
memory/2120-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2120-151-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2192-111-0x0000000004830000-0x000000000531C000-memory.dmp

Filesize
10.9MB

Download
memory/2192-76-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2192-83-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2192-66-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2192-68-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2192-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2192-73-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2192-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2192-78-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2192-86-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2192-88-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2192-81-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2344-173-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2344-168-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2912-11-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2912-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-52-0x0000000003EB0000-0x000000000499C000-memory.dmp

Filesize
10.9MB

Download
memory/2912-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2912-53-0x0000000003EB0000-0x000000000499C000-memory.dmp

Filesize
10.9MB

Download
memory/2912-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2912-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2912-5-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2912-6-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2912-8-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2912-10-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2912-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-13-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2912-15-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2912-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2912-20-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2912-23-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2912-25-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2912-28-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2912-30-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2912-33-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2912-35-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2912-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download