urelas | 87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
Size

6.5MB
MD5

660c8c0eb2c2cfc06b8b41617b852b31
SHA1

709affacdea23355175f72bd66e3e00c59d01460
SHA256

87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a
SHA512

fe45a97d8043a59cd008643f3377425317ead3deda5a2f55dbf5577300ca94369f1c2792a1ac83d98ad55163f679531806e686161dcda4e5cd6b3dc78dafe059
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSM:i0LrA2kHKQHNk3og9unipQyOaOM

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2856	lupuo.exe
1632	xebeqo.exe
2152	aspow.exe

Loads dropped DLL 5 IoCs

pid	Process
2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
2856	lupuo.exe
2856	lupuo.exe
1632	xebeqo.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001946b-161.dat	upx
behavioral1/memory/1632-163-0x00000000047C0000-0x0000000004959000-memory.dmp	upx
behavioral1/memory/2152-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2152-179-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lupuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xebeqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
2856	lupuo.exe
1632	xebeqo.exe
2152	aspow.exe
2152	aspow.exe
2152	aspow.exe
2152	aspow.exe
2152	aspow.exe
2152	aspow.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2856	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	31
PID 2068 wrote to memory of 2856	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	31
PID 2068 wrote to memory of 2856	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	31
PID 2068 wrote to memory of 2856	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	31
PID 2068 wrote to memory of 2800	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	32
PID 2068 wrote to memory of 2800	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	32
PID 2068 wrote to memory of 2800	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	32
PID 2068 wrote to memory of 2800	2068	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	32
PID 2856 wrote to memory of 1632	2856	lupuo.exe	34
PID 2856 wrote to memory of 1632	2856	lupuo.exe	34
PID 2856 wrote to memory of 1632	2856	lupuo.exe	34
PID 2856 wrote to memory of 1632	2856	lupuo.exe	34
PID 1632 wrote to memory of 2152	1632	xebeqo.exe	36
PID 1632 wrote to memory of 2152	1632	xebeqo.exe	36
PID 1632 wrote to memory of 2152	1632	xebeqo.exe	36
PID 1632 wrote to memory of 2152	1632	xebeqo.exe	36
PID 1632 wrote to memory of 1388	1632	xebeqo.exe	37
PID 1632 wrote to memory of 1388	1632	xebeqo.exe	37
PID 1632 wrote to memory of 1388	1632	xebeqo.exe	37
PID 1632 wrote to memory of 1388	1632	xebeqo.exe	37

C:\Users\Admin\AppData\Local\Temp\87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
"C:\Users\Admin\AppData\Local\Temp\87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\lupuo.exe
  "C:\Users\Admin\AppData\Local\Temp\lupuo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\xebeqo.exe
    "C:\Users\Admin\AppData\Local\Temp\xebeqo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\aspow.exe
      "C:\Users\Admin\AppData\Local\Temp\aspow.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8614a8ce6f3a9f057d765468271c484b

SHA1
c700a1b0e0d15e0405983f140d7e7c6f2c705c2e

SHA256
76d43be51ccff41bdabe48ee4648010fdf39c777d3d412df7bd3879732dfeec6

SHA512
a5ed9d1ee73646eddcbea16d489b064106ab815b0f116a4a9a603e4c3bf9a8fafdfbed70e6aed595aec5a5f664d006b3f2795648ed5d33d163f2d1313292abd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
304e83fe365b915f3e79e175d1cc6096

SHA1
e783303a09ab860594f6448e654ed1ad7f5fa877

SHA256
6e22f2d8b034cdd0d7362237d232a00cc9994c34c7a279bc8ab70b22946743b3

SHA512
b04b2ea6e23d6de84d676d6abbdb128098f4f2fde2fda8b3f528131f57b644c52c596f343a201c3bad77262b9ab623a2c1878339e340e0a259562759e28f5f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e829e60981aeb3730892e4308a76824

SHA1
2c80be471c0a1e7e62c3d81603fe751839260192

SHA256
8a88e124bcce5f0c59f7686fe5b77d1339282cde766ca68f4f698439eb7d9413

SHA512
885ce7cd45eb3c52d16b643174b46c50ae89ce73f09509654a3c2b5f398e596bb4ffd5812a882b9906ee1be8f485fdaf4abe95dd8af87515b780c6b78846dfac

Download Submit
\Users\Admin\AppData\Local\Temp\aspow.exe

Filesize
459KB

MD5
57355b0730b923cf9bc6913c9599aa71

SHA1
c53ab327600f5f8ce88312e5334d7f2fe5e29e33

SHA256
8c7adeb182607b465491020f0e0de696eff5c0c5710c1888473bd607355adaa5

SHA512
7ceeb73c4b4887d726b8d68b7239939998153849eb31269ee6a3460053b91862901cffe46ed3a4b7d57da7a24161124c4fe1903d6184543b1cdfa9052d165256

Download Submit
\Users\Admin\AppData\Local\Temp\lupuo.exe

Filesize
6.5MB

MD5
801d9dcf526bea1d11b53c4efe4dd1be

SHA1
277bb06073d1e43e18eeb4794fc9023b7b942d47

SHA256
610104262afb9b5e731562352240d0af6b7fadcddf1be661d676c2a1f12c74ed

SHA512
d9975258d222b1e35b2c8606c77b42134b05d9699588141510a95aab81bc9b0dc039f77eedafead17fc5dd8f9a2c70626f21358fb3bcd509113f2292f5285c99

Download Submit
memory/1632-118-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1632-175-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1632-163-0x00000000047C0000-0x0000000004959000-memory.dmp

Filesize
1.6MB

Download
memory/1632-157-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2068-54-0x0000000004250000-0x0000000004D3C000-memory.dmp

Filesize
10.9MB

Download
memory/2068-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2068-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2068-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2068-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2068-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2068-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2068-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2068-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2068-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2068-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2068-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2068-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2068-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2068-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2068-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2068-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2068-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2068-52-0x0000000004250000-0x0000000004D3C000-memory.dmp

Filesize
10.9MB

Download
memory/2068-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2068-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2068-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2068-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2068-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2068-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2152-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2152-179-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2856-85-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2856-73-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2856-70-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2856-80-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2856-68-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2856-116-0x0000000004510000-0x0000000004FFC000-memory.dmp

Filesize
10.9MB

Download
memory/2856-115-0x0000000004510000-0x0000000004FFC000-memory.dmp

Filesize
10.9MB

Download
memory/2856-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2856-75-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2856-78-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2856-83-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2856-88-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2856-90-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2856-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2856-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2856-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download