urelas | 37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8a

Analysis

max time kernel
118s
max time network
80s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
Size

6.5MB
MD5

8f8a6a76809094b654f65f6107740d70
SHA1

60de680dcd7d55316c6c76eb683c1525f3eccfc0
SHA256

37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8a
SHA512

795479d31e006b162e1716623f13259e9ac1922fe48c5eeaa0f37b8b9665c85f3b2250014c8bb68561c7890a7742a18832420f14d95fb0012ea25313ce812c2b
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSM:i0LrA2kHKQHNk3og9unipQyOaOM

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2676	votuc.exe
2812	disopu.exe
1528	ahvuu.exe

Loads dropped DLL 5 IoCs

pid	Process
2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
2676	votuc.exe
2676	votuc.exe
2812	disopu.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000017525-159.dat	upx
behavioral1/memory/2812-163-0x00000000046F0000-0x0000000004889000-memory.dmp	upx
behavioral1/memory/1528-172-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1528-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	votuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	disopu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahvuu.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
2676	votuc.exe
2812	disopu.exe
1528	ahvuu.exe
1528	ahvuu.exe
1528	ahvuu.exe
1528	ahvuu.exe
1528	ahvuu.exe
1528	ahvuu.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2676	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	31
PID 2460 wrote to memory of 2676	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	31
PID 2460 wrote to memory of 2676	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	31
PID 2460 wrote to memory of 2676	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	31
PID 2460 wrote to memory of 2736	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	32
PID 2460 wrote to memory of 2736	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	32
PID 2460 wrote to memory of 2736	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	32
PID 2460 wrote to memory of 2736	2460	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	32
PID 2676 wrote to memory of 2812	2676	votuc.exe	34
PID 2676 wrote to memory of 2812	2676	votuc.exe	34
PID 2676 wrote to memory of 2812	2676	votuc.exe	34
PID 2676 wrote to memory of 2812	2676	votuc.exe	34
PID 2812 wrote to memory of 1528	2812	disopu.exe	36
PID 2812 wrote to memory of 1528	2812	disopu.exe	36
PID 2812 wrote to memory of 1528	2812	disopu.exe	36
PID 2812 wrote to memory of 1528	2812	disopu.exe	36
PID 2812 wrote to memory of 836	2812	disopu.exe	37
PID 2812 wrote to memory of 836	2812	disopu.exe	37
PID 2812 wrote to memory of 836	2812	disopu.exe	37
PID 2812 wrote to memory of 836	2812	disopu.exe	37

C:\Users\Admin\AppData\Local\Temp\37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
"C:\Users\Admin\AppData\Local\Temp\37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\votuc.exe
  "C:\Users\Admin\AppData\Local\Temp\votuc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\disopu.exe
    "C:\Users\Admin\AppData\Local\Temp\disopu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\ahvuu.exe
      "C:\Users\Admin\AppData\Local\Temp\ahvuu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
880995948981fccb71ad9e72c575160f

SHA1
cd1717578b57cdc3463df65a17990ca825928d67

SHA256
93fe67385671fac431b0ce410180317085f97e82d84b3255d0739892f817016c

SHA512
415d418abf9ecb86ce1b3a3d0439260c16a1bc211206bee7ec254c7962a019b639aec14f9b2e710903aac1f363acff8525463932b5b793009c2b892bb2f9b894

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
56fc09ade9856d50bab696643c628579

SHA1
a1e51a527819ce01ed6d543da538c169bcb7e8e7

SHA256
5dd4fc7e7445079bcd15c673ca26ce0a781afa62841d0207f9b3aabdfb3c6480

SHA512
4e351a7230652a8cfe4e1f494f9a7396eb9cff2a53dba90fc5ca165cf1ed837fb65288f56094ec3b4a3cba28adf7ab972a81722f546463d3eeca72df235dee4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f0c14b2400f54a42fb5756422e1a1f5b

SHA1
c0721bd6508888739395edc61b8d100209bc6fa2

SHA256
9e466235d185dcf1a4cd048f22b61c55c780ee053ae096821780611ef4ffa730

SHA512
976a844d60936923d23103bb947916368bfa7800793f54ede9bafb79e5acc8cc20dab50fb9b779bcc93c10c12528b8acc40126b59fde12379d443b46f7b5db78

Download Submit
\Users\Admin\AppData\Local\Temp\ahvuu.exe

Filesize
459KB

MD5
ee3408f167f536ee35e3c0c2cbbf4a69

SHA1
8f9a76fecd3030a795117440680380fc4a0aca5c

SHA256
45827bf6f363b2514d454c4a5d799304e158136a99d1cad16872fea13662de76

SHA512
b62ced2b4fc8db16b5e61beef4f2b1d53d1190932f7c0e49766bf69e986e54948b410c836f2d9a722731d58f2bfb8f0f12c2461470c7f0e4093bb9405ea2aebb

Download Submit
\Users\Admin\AppData\Local\Temp\votuc.exe

Filesize
6.5MB

MD5
a580659650df9ba26b1c04d4e1a2bfb1

SHA1
95f1fd443ce02c43a08d53ba820261c0a6080554

SHA256
e44c2d8bd2d827869d8a3f07b0183647b77fd3f8629d8e2d810eae1c303dae6a

SHA512
55da86b6aba517923c763456cf74ddfcdf0c992ae6af89392dff724f2e31cecb0d33a53f55521a051a3180c36af0cf432ddb7a64a8471d0dfb714f2249a75ce0

Download Submit
memory/1528-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1528-172-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2460-59-0x00000000042E0000-0x0000000004DCC000-memory.dmp

Filesize
10.9MB

Download
memory/2460-51-0x00000000042E0000-0x0000000004DCC000-memory.dmp

Filesize
10.9MB

Download
memory/2460-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2460-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2460-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2460-28-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2460-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2460-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2460-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2460-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2460-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2460-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2460-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2460-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2460-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2460-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2460-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2460-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2460-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2460-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2460-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2460-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2460-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2460-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2460-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2460-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2676-114-0x00000000045E0000-0x00000000050CC000-memory.dmp

Filesize
10.9MB

Download
memory/2676-82-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2676-154-0x00000000045E0000-0x00000000050CC000-memory.dmp

Filesize
10.9MB

Download
memory/2676-77-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2676-87-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2676-89-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2676-111-0x00000000045E0000-0x00000000050CC000-memory.dmp

Filesize
10.9MB

Download
memory/2676-112-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2676-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2676-79-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2676-84-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2676-74-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2676-72-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2676-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2812-163-0x00000000046F0000-0x0000000004889000-memory.dmp

Filesize
1.6MB

Download
memory/2812-155-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2812-175-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2812-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download