urelas | d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166

Analysis

max time kernel
150s
max time network
95s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Size

441KB
MD5

d1da72031f75e672f7186b06ba18db55
SHA1

7ae4e7a6ccaa68732aad13cf6e5a3c65bdae789b
SHA256

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166
SHA512

a7477fa8383cca7cb1e55d5951ee95c8edbaaa1958ac7185f008db68af1920b8c51aed7be33747f6a05683bd7f22015e20dd8671ed9789de1ae9fbe934a5dd20
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPz:8Hn6/8NOy+CDQcciQpeoPz

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
828	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	nonud.exe
2248	gupup.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
1248	nonud.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000193a0-35.dat	upx
behavioral1/memory/2248-42-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2248-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2248-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2248-46-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2248-47-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2248-48-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2248-49-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gupup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nonud.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe
2248	gupup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: SeIncBasePriorityPrivilege	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: 33	1248	nonud.exe
Token: SeIncBasePriorityPrivilege	1248	nonud.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1248	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	29
PID 2060 wrote to memory of 1248	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	29
PID 2060 wrote to memory of 1248	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	29
PID 2060 wrote to memory of 1248	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	29
PID 2060 wrote to memory of 828	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 2060 wrote to memory of 828	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 2060 wrote to memory of 828	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 2060 wrote to memory of 828	2060	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 1248 wrote to memory of 2248	1248	nonud.exe	32
PID 1248 wrote to memory of 2248	1248	nonud.exe	32
PID 1248 wrote to memory of 2248	1248	nonud.exe	32
PID 1248 wrote to memory of 2248	1248	nonud.exe	32

C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
"C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\nonud.exe
  "C:\Users\Admin\AppData\Local\Temp\nonud.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\gupup.exe
    "C:\Users\Admin\AppData\Local\Temp\gupup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
316a8e3d57c7016014f9447eaf8257b2

SHA1
2dd24c4ada0c35dfbfdae4eddfc868da3cdb2b96

SHA256
c42e345d73f9601b0824e3d301c1bdb80916f2e4c449fb332e1a34d99434f981

SHA512
3f29c0db5d8fc4e5831f26a94265cf42096f7c5a6133d386b86bf7a56261ad6df4764483965d8f48cb49ed73b1cdfc08716c68bc7443e09972a76956062095a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e39448452b770bc101d70c3387aad16f

SHA1
7ff2d480ffe781f3b45f01ca051986a8d7a09568

SHA256
f7f395dd75151dce15e52ecfdbbfab00622615b49c5a4d067ceedd156f814892

SHA512
bb3955f5ddfd2cd0c2e3bcc8e911c257ef309ae55cc05e277bf285554c75aa16d7edad730cdebb7ece3a0b75c0edcbf020a60a1ba9553fe1f90ff8d52c6f79b1

Download Submit
\Users\Admin\AppData\Local\Temp\gupup.exe

Filesize
198KB

MD5
dea7a4b7f456c9db15d11bfd1caf6f41

SHA1
3f5dd9970091f619764fde7dbd9237519a3b57a1

SHA256
49f8ed83506abd16f5895c53208dadb41ec1c961e7a422d1e9fe382beb406046

SHA512
f8bcc57e4f3ca31a0569682cc20e9a609046bcedf8201797c52b2e5f6c95f1ec4c42fadf074901fcde2b3fc02ce8fb9bd1c7322f9b7ab6c7b9b151b4038d03d0

Download Submit
\Users\Admin\AppData\Local\Temp\nonud.exe

Filesize
441KB

MD5
3cdb75e48b7beececfff510a88c0485d

SHA1
99040eaefd334c5b99dc2973ce69539436d8cdf0

SHA256
128235ed97be1861b931de486d21bc9fa1759a5c0e72ceaf75577a1272143b83

SHA512
ab278d5d0795469d4d71c1bcb3c1ad3866a9389a564af90fbd71fdb715b638f930f6de78e9fa0b53fdf3a23b249c7bf784b6c22a51d33869481eec30e3b8dd09

Download Submit
memory/1248-19-0x0000000000840000-0x00000000008BC000-memory.dmp

Filesize
496KB

Download
memory/1248-38-0x0000000002FB0000-0x000000000304F000-memory.dmp

Filesize
636KB

Download
memory/1248-20-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1248-24-0x0000000000840000-0x00000000008BC000-memory.dmp

Filesize
496KB

Download
memory/1248-40-0x0000000000840000-0x00000000008BC000-memory.dmp

Filesize
496KB

Download
memory/2060-21-0x0000000000C00000-0x0000000000C7C000-memory.dmp

Filesize
496KB

Download
memory/2060-9-0x0000000000AA0000-0x0000000000B1C000-memory.dmp

Filesize
496KB

Download
memory/2060-1-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2060-0-0x0000000000C00000-0x0000000000C7C000-memory.dmp

Filesize
496KB

Download
memory/2248-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2248-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2248-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2248-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2248-47-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2248-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2248-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download