urelas | cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe
Size

442KB
MD5

fa6e8dd182cec92f3ed6ff7927eaf628
SHA1

612b64625bc72df8ac25d7163b45650647715832
SHA256

cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d
SHA512

885189e84e84e0bfe5f435678af9aeb43a7903ebd5fa44abca16f16adff3f9fa95850df8636c39e56e2751474872fde16ab14a503166b09bdda02f44b7c3b8c3
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPr:8Hn6/8NOy+CDQcciQpeoPr

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	asotq.exe
2860	luvuw.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe
3044	asotq.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-42-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-41.dat	upx
behavioral1/memory/2860-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2860-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2860-46-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2860-47-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2860-48-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2860-49-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luvuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asotq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe
2860	luvuw.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe
Token: SeIncBasePriorityPrivilege	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe
Token: 33	3044	asotq.exe
Token: SeIncBasePriorityPrivilege	3044	asotq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3044	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	28
PID 2272 wrote to memory of 3044	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	28
PID 2272 wrote to memory of 3044	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	28
PID 2272 wrote to memory of 3044	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	28
PID 2272 wrote to memory of 2752	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	29
PID 2272 wrote to memory of 2752	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	29
PID 2272 wrote to memory of 2752	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	29
PID 2272 wrote to memory of 2752	2272	cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe	29
PID 3044 wrote to memory of 2860	3044	asotq.exe	33
PID 3044 wrote to memory of 2860	3044	asotq.exe	33
PID 3044 wrote to memory of 2860	3044	asotq.exe	33
PID 3044 wrote to memory of 2860	3044	asotq.exe	33

C:\Users\Admin\AppData\Local\Temp\cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe
"C:\Users\Admin\AppData\Local\Temp\cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\asotq.exe
  "C:\Users\Admin\AppData\Local\Temp\asotq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\luvuw.exe
    "C:\Users\Admin\AppData\Local\Temp\luvuw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
6a7c84720548deff10f32c474b9a4845

SHA1
c3d2a47a81104e0960558d134b72b9d9aa4fa546

SHA256
4429ab7fac25beea789a89d68e2d73d697565d54aaa797abbce6b2038735c601

SHA512
1805e4f0fac1f05b8534fdae77c00fdc41845596364c4544cbde2eaadaa333b24249f8cd50c5cf693639b10171b3d5bd0acf2b91499fad7e26966a3c129db3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
86b6a1043dbde693b037fa86bc5e1d3b

SHA1
74d74de8f7bc5e9c9ea9195e290d7cb56227eb6f

SHA256
a6610ab106abedb4aacf22c4ac88eb8e6bd023db89b68392251c541be1c8794e

SHA512
aa52c2975495b5e809cf3ffb21a9a6a84f14d9a4648b7a8d112b0e7f34354b3010accf0a5834ea1175f08d8d93fa9b6da0e1038e0d677aee6b40a85fc0d424ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\luvuw.exe

Filesize
198KB

MD5
c5909f9b3cffa8d67ab33c49004e9f01

SHA1
9cfa083f0b0db0706233a88dbd16b149efb0d16f

SHA256
d19746329e43eb07e36d5b04ff122cb69879075c2017c069b672b92d2caf10cf

SHA512
a185740a2e9fc4885a1457ef1c7044731e526fc1b374979d0cab192e2239c030ee237cdb1b97613b5a9dc5545183585614206c5bd6a2262ec0de6a7f12986e8a

Download Submit
\Users\Admin\AppData\Local\Temp\asotq.exe

Filesize
442KB

MD5
1254a0a052b5886a5284c9ec8c16eac2

SHA1
ddb609e93834405209b5c356316cf38a553cb09b

SHA256
9f0bff522a00316e27ee08b4ac987211223ccab49fe810f4105405147f614500

SHA512
0ad45832e885dc6e37ac4d6d61ab657de1dd71bb3b5420b955bdd7df6b9f58b4794719de10aaffdeee6bd218d1c38175e516e4552637f5d543985356e4f48876

Download Submit
memory/2272-1-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2272-0-0x0000000001320000-0x000000000139C000-memory.dmp

Filesize
496KB

Download
memory/2272-9-0x0000000000A60000-0x0000000000ADC000-memory.dmp

Filesize
496KB

Download
memory/2272-21-0x0000000001320000-0x000000000139C000-memory.dmp

Filesize
496KB

Download
memory/2860-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2860-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2860-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2860-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2860-47-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2860-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2860-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3044-24-0x0000000000A30000-0x0000000000AAC000-memory.dmp

Filesize
496KB

Download
memory/3044-39-0x0000000000A30000-0x0000000000AAC000-memory.dmp

Filesize
496KB

Download
memory/3044-18-0x0000000000A30000-0x0000000000AAC000-memory.dmp

Filesize
496KB

Download
memory/3044-40-0x0000000003560000-0x00000000035FF000-memory.dmp

Filesize
636KB

Download
memory/3044-19-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download