urelas | c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32

Analysis

max time kernel
118s
max time network
80s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
Size

6.5MB
MD5

b42065846911937cc82d51116d7a47f0
SHA1

e806bdeed3689d796a093d7699cb05f6df434805
SHA256

c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32
SHA512

b38f502b35b3cb0c80889c86d670edf736a5ecde85e127fcef337635faa027c28a88d53f02e7bfdf61ef94ce0ed713d2e5b14c1df089d1dfb3674c07a9b9b9c0
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS/:i0LrA2kHKQHNk3og9unipQyOaO/

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2448	keziq.exe
2172	hydila.exe
1852	wojor.exe

Loads dropped DLL 5 IoCs

pid	Process
2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
2448	keziq.exe
2448	keziq.exe
2172	hydila.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001939c-159.dat	upx
behavioral1/memory/2172-162-0x00000000046F0000-0x0000000004889000-memory.dmp	upx
behavioral1/memory/1852-172-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1852-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keziq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hydila.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wojor.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
2448	keziq.exe
2172	hydila.exe
1852	wojor.exe
1852	wojor.exe
1852	wojor.exe
1852	wojor.exe
1852	wojor.exe
1852	wojor.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2448	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	30
PID 2372 wrote to memory of 2448	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	30
PID 2372 wrote to memory of 2448	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	30
PID 2372 wrote to memory of 2448	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	30
PID 2372 wrote to memory of 2836	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	31
PID 2372 wrote to memory of 2836	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	31
PID 2372 wrote to memory of 2836	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	31
PID 2372 wrote to memory of 2836	2372	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	31
PID 2448 wrote to memory of 2172	2448	keziq.exe	33
PID 2448 wrote to memory of 2172	2448	keziq.exe	33
PID 2448 wrote to memory of 2172	2448	keziq.exe	33
PID 2448 wrote to memory of 2172	2448	keziq.exe	33
PID 2172 wrote to memory of 1852	2172	hydila.exe	35
PID 2172 wrote to memory of 1852	2172	hydila.exe	35
PID 2172 wrote to memory of 1852	2172	hydila.exe	35
PID 2172 wrote to memory of 1852	2172	hydila.exe	35
PID 2172 wrote to memory of 1028	2172	hydila.exe	36
PID 2172 wrote to memory of 1028	2172	hydila.exe	36
PID 2172 wrote to memory of 1028	2172	hydila.exe	36
PID 2172 wrote to memory of 1028	2172	hydila.exe	36

C:\Users\Admin\AppData\Local\Temp\c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
"C:\Users\Admin\AppData\Local\Temp\c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\keziq.exe
  "C:\Users\Admin\AppData\Local\Temp\keziq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\hydila.exe
    "C:\Users\Admin\AppData\Local\Temp\hydila.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\wojor.exe
      "C:\Users\Admin\AppData\Local\Temp\wojor.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
3b879f98dfac596d31bfaade3bef4caa

SHA1
2cd37fb5fe463d6dcff0b303803bd53ea3a8b16e

SHA256
71e7a71eb102820496f8d557022918ea7ff5bdc8ce154648c2a0bdf4cec6b2b4

SHA512
14a5314e0362a90a01dbee850be7dab579884bdfff20c0ae2d9eea69ae4f9e85886d4657229e5caade697987edcb46908a4570f7aee23fef269ddacdfb757957

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9a003dd4a3acddd945b777d0d0d2790b

SHA1
9006bd39211928631a19d2035a483c34bc7623a6

SHA256
ac41d364e166d2e5af800fbe279ac094dbc912b9861ea208c59791002611c90c

SHA512
4f5e599447413d3a94d832c8e6201d1870fea6d40bf65c405dedd29ae60527e625cf9fda24ca257dbaf76b3f5cdc127d089176cd5ba26e91d87508c4697e09a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6b69831a3b3d6726502d90ec3d95dc33

SHA1
6bc3703f2774c48669d9b0d61dc147017f9276c6

SHA256
d957cba4e2f177ae0ecd919ca8a7c59bc352e4e93d9c442b61a950605366d764

SHA512
b2acabafab66deb62e4084da6991e9c129d9b0fef6d8375fe12a40ed3bf645e7651b816f89f3be34e4ccd3aca9690f257415a91e4dd9b2e0fd4f83e263e0e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\keziq.exe

Filesize
6.5MB

MD5
cab9728d0ca30509a2a964e633cb0224

SHA1
8d4a066d6a6a6b3a9364b35607c0783457593221

SHA256
5a1fbccd41e1fb997be2821129007f5a4f7bfb7d8fbaf883e43e2aa7f1051d73

SHA512
e1b022e8ac038167e79c49da13da83eb6e3877fa0b31a79cc1305445facbceea7c6728a00c7ffb212fd59ade72461531a19e5c995b90228760690428af10513e

Download Submit
\Users\Admin\AppData\Local\Temp\wojor.exe

Filesize
459KB

MD5
6f21dd8aea1034677fd48e48e91b6e06

SHA1
86c73d9e3ade30c44b72c0b029a7f7057ba45178

SHA256
0e9f29577736e16f721efeb0eff14df050f02e577a74867666ef539ecb973e03

SHA512
310c06c750616b8a8735e5bc085af5793742b29f79c99776ff58f2ee82443830eeeecda02916ec112ff3f3fa73c6cd9fd24091e4d595f5608e274890d05a7275

Download Submit
memory/1852-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1852-172-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2172-174-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2172-162-0x00000000046F0000-0x0000000004889000-memory.dmp

Filesize
1.6MB

Download
memory/2172-155-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2172-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2372-57-0x0000000004220000-0x0000000004D0C000-memory.dmp

Filesize
10.9MB

Download
memory/2372-6-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2372-13-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2372-11-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2372-10-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2372-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2372-5-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2372-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2372-60-0x0000000004220000-0x0000000004D0C000-memory.dmp

Filesize
10.9MB

Download
memory/2372-59-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2372-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2372-18-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2372-25-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2372-20-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2372-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2372-40-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2372-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2372-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2372-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2372-35-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2372-33-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2372-30-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2372-28-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2372-23-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2448-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2448-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2448-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2448-115-0x00000000042E0000-0x0000000004DCC000-memory.dmp

Filesize
10.9MB

Download
memory/2448-112-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2448-111-0x00000000042E0000-0x0000000004DCC000-memory.dmp

Filesize
10.9MB

Download
memory/2448-154-0x00000000042E0000-0x0000000004DCC000-memory.dmp

Filesize
10.9MB

Download
memory/2448-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2448-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2448-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2448-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2448-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2448-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2448-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2448-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download