urelas | a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe
Size

467KB
MD5

0f5e4bbfcfd0acca9f07f391dcf1e589
SHA1

ac4160ff4b83c36db425c6b68845c34ed6935557
SHA256

a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62
SHA512

a7aa485826d8fa53ad0511962e6c89e490fd43492317e7d987f18239b22b14c5b648e860342fe98095f7e5c45d98255cb0371d969f1e139d5cf57fc8692a3c8c
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Uv2:m6tQCG0UUPzEkTn4AC1+1

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lypyx.exe

Executes dropped EXE 2 IoCs

pid	Process
1664	lypyx.exe
4984	xoriq.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000705-26.dat	upx
behavioral2/memory/4984-25-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4984-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4984-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4984-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4984-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4984-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4984-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoriq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lypyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe
4984	xoriq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1664	1572	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe	85
PID 1572 wrote to memory of 1664	1572	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe	85
PID 1572 wrote to memory of 1664	1572	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe	85
PID 1572 wrote to memory of 1496	1572	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe	86
PID 1572 wrote to memory of 1496	1572	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe	86
PID 1572 wrote to memory of 1496	1572	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe	86
PID 1664 wrote to memory of 4984	1664	lypyx.exe	104
PID 1664 wrote to memory of 4984	1664	lypyx.exe	104
PID 1664 wrote to memory of 4984	1664	lypyx.exe	104

C:\Users\Admin\AppData\Local\Temp\a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe
"C:\Users\Admin\AppData\Local\Temp\a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\lypyx.exe
  "C:\Users\Admin\AppData\Local\Temp\lypyx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\xoriq.exe
    "C:\Users\Admin\AppData\Local\Temp\xoriq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
6c4708585b360860ef816d0d6d3b3655

SHA1
a1f0a223f31a9fbc8e4fbe1baadc1861081ace1a

SHA256
faafab5754a0cc58182156aef5d7dd79731fa10f990a12c534bc5849887a7cff

SHA512
2c2db0f7dd2e805c99a0fb0f627dc0230d2ce508c9dfb16a203392439b87993380f8c3a107f8ccdd78ceb5266c811375970db90c11e2e366deb2b5ad7447793c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
30fd3deb392b21fc081203c2a0fe2c35

SHA1
121ba9229d9b9784214ce67d9ae92b07c3e1b0cf

SHA256
201797f9d82519ddb8bc7bff327211267ec2d203a420cad25881c3454eee58f6

SHA512
8479ff5810838ad65809ba65740fbdb4496d505910b234957c6dd8e5309db6ee6a15b7578a51ff3098151551a91b1b1ecba14b8ccc3caa0188576793947c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lypyx.exe

Filesize
467KB

MD5
a967063991710b07e6c3e47c6288430e

SHA1
934b10dae1fabf67c81c153646d558a1195cce5e

SHA256
b4abb10ff60a13e9d4e4edb98fb4111b7c6a55377266b364320785e583618817

SHA512
501ee9573f48ac0030fd8b15c188b91348b326e3b98d777f7affdf7540e244086b6cf6a340ab8558d0a46b8924febc0d5230ed325116695a9b65d3188f23cda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoriq.exe

Filesize
198KB

MD5
0703d5863b5e78dc4442567375e0b9cd

SHA1
2f507ca320f8a1282192805bf05fcbc290d61316

SHA256
2358185331a30c6e09c7d1438bddccd68f7b0f78da7291bfe155845b123939e5

SHA512
2b2846dfd70274869cf37a5e7703a684fac3061c39c0cd8b4bdbf7a8b60ef4a3d22dd340cc87165c29d1afc3f5610cfb87259e0c62f687c02813d7c304ca6a72

Download Submit
memory/1572-14-0x0000000000410000-0x000000000048C000-memory.dmp

Filesize
496KB

Download
memory/1572-0-0x0000000000410000-0x000000000048C000-memory.dmp

Filesize
496KB

Download
memory/1664-17-0x0000000000AA0000-0x0000000000B1C000-memory.dmp

Filesize
496KB

Download
memory/1664-27-0x0000000000AA0000-0x0000000000B1C000-memory.dmp

Filesize
496KB

Download
memory/1664-13-0x0000000000AA0000-0x0000000000B1C000-memory.dmp

Filesize
496KB

Download
memory/4984-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4984-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4984-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4984-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4984-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4984-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4984-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download