urelas | 713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46

Analysis

max time kernel
119s
max time network
76s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
Size

6.5MB
MD5

dfd636e10b468d1ff62cba3cb4234850
SHA1

20ae9ae3d446e1ce63da8893944ab7dbac6d9083
SHA256

713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46
SHA512

6cc4e0273e52b3904db99a689f47dce10aea52d4f7295c31cfa2ab0d58acdaf1c2a1d253845dc0cf80c90c3146b46e6f70ababbaacbc766e64c2e8b03efd6caf
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS2:i0LrA2kHKQHNk3og9unipQyOaO2

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2468	ijgys.exe
2472	syymmo.exe
2152	xukyo.exe

Loads dropped DLL 5 IoCs

pid	Process
2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
2468	ijgys.exe
2468	ijgys.exe
2472	syymmo.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000018bf3-156.dat	upx
behavioral1/memory/2152-169-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2472-160-0x0000000004730000-0x00000000048C9000-memory.dmp	upx
behavioral1/memory/2152-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijgys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syymmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xukyo.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
2468	ijgys.exe
2472	syymmo.exe
2152	xukyo.exe
2152	xukyo.exe
2152	xukyo.exe
2152	xukyo.exe
2152	xukyo.exe
2152	xukyo.exe
2152	xukyo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2468	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	30
PID 2112 wrote to memory of 2468	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	30
PID 2112 wrote to memory of 2468	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	30
PID 2112 wrote to memory of 2468	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	30
PID 2112 wrote to memory of 2748	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	31
PID 2112 wrote to memory of 2748	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	31
PID 2112 wrote to memory of 2748	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	31
PID 2112 wrote to memory of 2748	2112	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	31
PID 2468 wrote to memory of 2472	2468	ijgys.exe	33
PID 2468 wrote to memory of 2472	2468	ijgys.exe	33
PID 2468 wrote to memory of 2472	2468	ijgys.exe	33
PID 2468 wrote to memory of 2472	2468	ijgys.exe	33
PID 2472 wrote to memory of 2152	2472	syymmo.exe	35
PID 2472 wrote to memory of 2152	2472	syymmo.exe	35
PID 2472 wrote to memory of 2152	2472	syymmo.exe	35
PID 2472 wrote to memory of 2152	2472	syymmo.exe	35
PID 2472 wrote to memory of 1176	2472	syymmo.exe	36
PID 2472 wrote to memory of 1176	2472	syymmo.exe	36
PID 2472 wrote to memory of 1176	2472	syymmo.exe	36
PID 2472 wrote to memory of 1176	2472	syymmo.exe	36

C:\Users\Admin\AppData\Local\Temp\713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
"C:\Users\Admin\AppData\Local\Temp\713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\ijgys.exe
  "C:\Users\Admin\AppData\Local\Temp\ijgys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\syymmo.exe
    "C:\Users\Admin\AppData\Local\Temp\syymmo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\xukyo.exe
      "C:\Users\Admin\AppData\Local\Temp\xukyo.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
65cc072024906a1e81e3cf01d8a64b01

SHA1
b9c0873c4ebce3b26ead5ef0518838c2bbb9fedf

SHA256
f5c6283e829bbd59786fd941dcb1c239b2dcc692a111269ced084bc707d4f535

SHA512
21c804a5898c0d378977a233320a0ee18fbf7e5b8d5d97b427b6a3a3cf62aaa865f0ef681336df218b9265833221dbfd366d49ce3c638ff21c2133e12ee5e89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
cec8309e59dfa98b3d5cfd9098dbfe24

SHA1
aa49267906d4e30088829121ee5cc46b39a407d1

SHA256
d7e89a318eac757d6a94c73d714e763ea35934a575c9a0fdc197cf99c44f26d2

SHA512
7d6082e57f7845291ab3ec91ee093d2fde476bb71b12608918bdaf1624e9cb506339bb6b28b835ad141a2069eafa42fd22159e42d11c937d0df4d15cc1671b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bed58f55e8c0084bcde155873ec51253

SHA1
0a03fad0c954d1abdf770ce76fa243b36a1a9231

SHA256
11268796375f8af0760581dbfca8c010b5ac5f690a2bd02fe5898e3ee0126ae2

SHA512
123fc018eed02cc83574ad2c07009c7121458e76ca3dc72647cb1cc85be83595f4654b566706e35feda93b382ee30be31920caf65c90b9d2e568517078f38e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijgys.exe

Filesize
6.5MB

MD5
685089d1bd16698e4d2d5eb1fe175b4d

SHA1
386f621a30d9167573ea7693433409e019fdcc95

SHA256
013877ddcd7328851bff18e1b531fb034dd0fa84ee1401e1807fd9bc55d07fac

SHA512
ffb755df398ce24fb877eaa023c83cb40c9e22559cdf41c1875a0d906c2b0aba8b227dc3b324ef6928b42eee28f74ebe605bd8148f448eb5bfd418948b166447

Download Submit
\Users\Admin\AppData\Local\Temp\xukyo.exe

Filesize
459KB

MD5
ce78f8a5a971b24783983d859b7dfa7b

SHA1
a54c8faf19ed5a18cb30198026ffa1f8f0e02bc3

SHA256
1e8758aa952686cb7b03facf81d6916d6cba7303cde6a5850fadc830f4a7063d

SHA512
9be8b29a1b6ab8229261afa2f419b13cf67997dbb55bfa4a490ac6f8afa3ad0972baea831168eb59fb389afc4dfef3d486032163a1b672118833060e7315f831

Download Submit
memory/2112-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2112-11-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2112-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2112-35-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2112-33-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2112-30-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2112-28-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2112-25-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2112-23-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2112-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2112-18-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2112-15-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2112-13-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2112-60-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2112-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2112-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2112-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2112-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2112-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2112-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2112-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2112-56-0x0000000003D30000-0x000000000481C000-memory.dmp

Filesize
10.9MB

Download
memory/2112-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2152-169-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2152-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2468-87-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2468-151-0x00000000042E0000-0x0000000004DCC000-memory.dmp

Filesize
10.9MB

Download
memory/2468-75-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2468-72-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2468-67-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2468-65-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2468-70-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2468-110-0x00000000042E0000-0x0000000004DCC000-memory.dmp

Filesize
10.9MB

Download
memory/2468-109-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2468-77-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2468-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2468-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2468-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2468-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2472-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2472-160-0x0000000004730000-0x00000000048C9000-memory.dmp

Filesize
1.6MB

Download
memory/2472-152-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2472-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download