urelas | d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166

Analysis

max time kernel
149s
max time network
94s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Size

441KB
MD5

d1da72031f75e672f7186b06ba18db55
SHA1

7ae4e7a6ccaa68732aad13cf6e5a3c65bdae789b
SHA256

d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166
SHA512

a7477fa8383cca7cb1e55d5951ee95c8edbaaa1958ac7185f008db68af1920b8c51aed7be33747f6a05683bd7f22015e20dd8671ed9789de1ae9fbe934a5dd20
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPz:8Hn6/8NOy+CDQcciQpeoPz

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	konuh.exe
3008	luruj.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
2272	konuh.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2272-37-0x00000000036F0000-0x000000000378F000-memory.dmp	upx
behavioral1/files/0x0008000000016d64-35.dat	upx
behavioral1/memory/3008-42-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3008-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3008-46-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3008-47-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3008-48-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3008-49-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3008-50-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	konuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luruj.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe
3008	luruj.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: SeIncBasePriorityPrivilege	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
Token: 33	2272	konuh.exe
Token: SeIncBasePriorityPrivilege	2272	konuh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2272	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 2108 wrote to memory of 2272	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 2108 wrote to memory of 2272	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 2108 wrote to memory of 2272	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	30
PID 2108 wrote to memory of 2992	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	31
PID 2108 wrote to memory of 2992	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	31
PID 2108 wrote to memory of 2992	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	31
PID 2108 wrote to memory of 2992	2108	d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe	31
PID 2272 wrote to memory of 3008	2272	konuh.exe	33
PID 2272 wrote to memory of 3008	2272	konuh.exe	33
PID 2272 wrote to memory of 3008	2272	konuh.exe	33
PID 2272 wrote to memory of 3008	2272	konuh.exe	33

C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe
"C:\Users\Admin\AppData\Local\Temp\d8a3742557599b1c6df23dee49091d2ca6e0a30d1e1b9f1b324f73dfa77da166.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\konuh.exe
  "C:\Users\Admin\AppData\Local\Temp\konuh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\luruj.exe
    "C:\Users\Admin\AppData\Local\Temp\luruj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
316a8e3d57c7016014f9447eaf8257b2

SHA1
2dd24c4ada0c35dfbfdae4eddfc868da3cdb2b96

SHA256
c42e345d73f9601b0824e3d301c1bdb80916f2e4c449fb332e1a34d99434f981

SHA512
3f29c0db5d8fc4e5831f26a94265cf42096f7c5a6133d386b86bf7a56261ad6df4764483965d8f48cb49ed73b1cdfc08716c68bc7443e09972a76956062095a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8fb58144ea41f91ff89852d8b7f3fd88

SHA1
606f01a87490f410f681e6e31bfc5c9a22f2c68a

SHA256
3523983bbd8075bc88b6ccf3e69c348a2fd06e9ce0e1c50b104baf1c63df4808

SHA512
db43ed7ef5b76767771881e805c01eb9a748ff0a1b9fa3a60c53a95a36f302d1b177bf34e01e01209f4101624a40a798023f2e9978d24573ef4968b6dc30b9db

Download Submit
\Users\Admin\AppData\Local\Temp\konuh.exe

Filesize
441KB

MD5
0da8c45269914221f6ad08fac83e9795

SHA1
47638c7fc760446a0b9ee1a4d2e6dc7038fc3661

SHA256
1cf23467cfd501be3d81529d6516edeedf0f05441c868719162982af9d726863

SHA512
0cf6ceb74a848ba8fc0f6a12c5484055058097e5ee8ccf11905622368b146a8c9fcd7c7d6ac09fce14917cb94ec84bdd285b6eec3c9b7fa022808102c4dadc81

Download Submit
\Users\Admin\AppData\Local\Temp\luruj.exe

Filesize
198KB

MD5
a5339756fadb6d33d2a63726aaa90fa4

SHA1
197a8aba550710c6f2cf1a15252af71fb21f55a8

SHA256
3560a787505ae8397e4bf85703c88ed6ec061471af15b702c820f35e28c39a76

SHA512
75633c7003b73930cbafcfce41bc496643ff42d4e3f506766a69cd0824037b344b96ae380ff48e3de29dfaaf088ee2dd282eb438d728e5326ee1e3be13ddf3d2

Download Submit
memory/2108-1-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2108-0-0x0000000001240000-0x00000000012BC000-memory.dmp

Filesize
496KB

Download
memory/2108-9-0x00000000026C0000-0x000000000273C000-memory.dmp

Filesize
496KB

Download
memory/2108-21-0x0000000001240000-0x00000000012BC000-memory.dmp

Filesize
496KB

Download
memory/2272-37-0x00000000036F0000-0x000000000378F000-memory.dmp

Filesize
636KB

Download
memory/2272-24-0x0000000000870000-0x00000000008EC000-memory.dmp

Filesize
496KB

Download
memory/2272-11-0x0000000000870000-0x00000000008EC000-memory.dmp

Filesize
496KB

Download
memory/2272-18-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2272-41-0x0000000000870000-0x00000000008EC000-memory.dmp

Filesize
496KB

Download
memory/2272-44-0x00000000036F0000-0x000000000378F000-memory.dmp

Filesize
636KB

Download
memory/3008-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3008-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3008-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3008-47-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3008-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3008-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3008-50-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download