urelas | 44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c

Analysis

max time kernel
149s
max time network
82s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
Size

536KB
MD5

f9af706df4dcec928ce28ba9db8d2585
SHA1

e35a65fc775be9cd630ccf7fcd09ee240d27f899
SHA256

44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c
SHA512

9e0b5070cc1a0000f6ff0040ce0e8f36cf964100a9350b2907674d3b9bdf5c7a6c61fea074732b6294fb869952aa1bcc7b3ab2a8c2ea1fa70d93e7e92a0a8988
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2T:cLjQC+bs0YOT

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	ducie.exe
1312	suqof.exe

Loads dropped DLL 2 IoCs

pid	Process
576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
2260	ducie.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/576-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x0012000000016d3f-4.dat	upx
behavioral1/memory/2260-10-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/576-18-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2260-21-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2260-30-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ducie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suqof.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe
1312	suqof.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2260	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	30
PID 576 wrote to memory of 2260	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	30
PID 576 wrote to memory of 2260	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	30
PID 576 wrote to memory of 2260	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	30
PID 576 wrote to memory of 2976	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 576 wrote to memory of 2976	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 576 wrote to memory of 2976	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 576 wrote to memory of 2976	576	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 2260 wrote to memory of 1312	2260	ducie.exe	33
PID 2260 wrote to memory of 1312	2260	ducie.exe	33
PID 2260 wrote to memory of 1312	2260	ducie.exe	33
PID 2260 wrote to memory of 1312	2260	ducie.exe	33

C:\Users\Admin\AppData\Local\Temp\44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
"C:\Users\Admin\AppData\Local\Temp\44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\ducie.exe
  "C:\Users\Admin\AppData\Local\Temp\ducie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\suqof.exe
    "C:\Users\Admin\AppData\Local\Temp\suqof.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
db38cec0ed48155f1663628226e380d0

SHA1
916c83b08db52972e4f13d6ebd0c4c9287ae75d8

SHA256
f3fbb75ef764e7bbca6ba076b984895051ffced4e18c848c4bf7d8b49d598bdf

SHA512
8c685dda2992911f662e7906161bfa9232739b1a2bda85cfe342ca8ff0fe6adbbd54e10c3c838426e1aaa85ec17126ef9311d8091b57a25aed1013a13d483f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
384919f18e500561a3c9a3cc34fddce5

SHA1
de9f47e499bb41d39f51e006b9c9c27ecc31546e

SHA256
12a1d6c497098183eb6a3e6fb343da5833ecc05c0e94031739c40c2de9a23c84

SHA512
9b79879863f0e97368341ff86ba35cf4ae4123e5c327a4c11a750326caf5cd44a240064145653895420d9c37266d83b927e655deae9410331f2701e78856c776

Download Submit
C:\Users\Admin\AppData\Local\Temp\suqof.exe

Filesize
241KB

MD5
f91e2c13bddea8b8aef46c9ad171b037

SHA1
541b48c4718241afa03c2d37896842828105e5a2

SHA256
c28f87dff30d05d34f6628e24915ee2e2c795b83027d28b6dea0c067fe642f0a

SHA512
3477ab044a847f488a0de2ab1ba0515affb9aa054f2146d702a672ada170ec3872466d64ed68870613f7d81b06f987b45bcd31be78d21d905494310735ddcd01

Download Submit
\Users\Admin\AppData\Local\Temp\ducie.exe

Filesize
536KB

MD5
194166f8118bc60e697ee4e3f38b2e19

SHA1
d98e79bc1799e6bd325ff62e4544a841f72b9628

SHA256
e2cc19243337d05a7248b5eb1e3f8cfb9a5dcb7f6e4a1078b8ca2615e6900514

SHA512
0deb3484b06c1d1c05587e3d417436b4a99c4374d80786a850d696d8f70839d769f7ff4b8b049db7f8bc0034b645fdb296cfbe2bf60d00fbc7dd128b94f93d2f

Download Submit
memory/576-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/576-8-0x0000000002730000-0x00000000027BB000-memory.dmp

Filesize
556KB

Download
memory/576-18-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1312-32-0x0000000001120000-0x00000000011D6000-memory.dmp

Filesize
728KB

Download
memory/1312-29-0x0000000001120000-0x00000000011D6000-memory.dmp

Filesize
728KB

Download
memory/1312-33-0x0000000001120000-0x00000000011D6000-memory.dmp

Filesize
728KB

Download
memory/1312-34-0x0000000001120000-0x00000000011D6000-memory.dmp

Filesize
728KB

Download
memory/1312-35-0x0000000001120000-0x00000000011D6000-memory.dmp

Filesize
728KB

Download
memory/1312-36-0x0000000001120000-0x00000000011D6000-memory.dmp

Filesize
728KB

Download
memory/2260-27-0x00000000039C0000-0x0000000003A76000-memory.dmp

Filesize
728KB

Download
memory/2260-21-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2260-30-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2260-10-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download