urelas | e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f

General

Target

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
Size

6.4MB
MD5

43859040ad488d1f1ceb32cdc9f4da18
SHA1

fdaeeb8b4ad0e3b54a270dd54260e4a841844fd4
SHA256

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f
SHA512

4f2a98e263ac2ae8323dfd38956b7448e119f787d60b0cc1dd031032b0be37e6176ab4ea2c25eaaf3601b158f965831beb51df68be6d48bd81bdeb7717648a88
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSt:i0LrA2kHKQHNk3og9unipQyOaOt

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dodax.exe	UPX
behavioral2/memory/2444-70-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/2444-74-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exeiwfeh.exetewymo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	iwfeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	tewymo.exe

Executes dropped EXE 3 IoCs

Processes:

iwfeh.exetewymo.exedodax.exe

pid process

3084 iwfeh.exe
3500 tewymo.exe
2444 dodax.exe

pid	process
3084	iwfeh.exe
3500	tewymo.exe
2444	dodax.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dodax.exe	upx
behavioral2/memory/2444-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2444-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exeiwfeh.exetewymo.exedodax.exe

pid	process
1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
3084	iwfeh.exe
3084	iwfeh.exe
3500	tewymo.exe
3500	tewymo.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe
2444	dodax.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exeiwfeh.exetewymo.exe

description	pid	process	target process
PID 1944 wrote to memory of 3084	1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	iwfeh.exe
PID 1944 wrote to memory of 3084	1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	iwfeh.exe
PID 1944 wrote to memory of 3084	1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	iwfeh.exe
PID 1944 wrote to memory of 404	1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	cmd.exe
PID 1944 wrote to memory of 404	1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	cmd.exe
PID 1944 wrote to memory of 404	1944	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	cmd.exe
PID 3084 wrote to memory of 3500	3084	iwfeh.exe	tewymo.exe
PID 3084 wrote to memory of 3500	3084	iwfeh.exe	tewymo.exe
PID 3084 wrote to memory of 3500	3084	iwfeh.exe	tewymo.exe
PID 3500 wrote to memory of 2444	3500	tewymo.exe	dodax.exe
PID 3500 wrote to memory of 2444	3500	tewymo.exe	dodax.exe
PID 3500 wrote to memory of 2444	3500	tewymo.exe	dodax.exe
PID 3500 wrote to memory of 3880	3500	tewymo.exe	cmd.exe
PID 3500 wrote to memory of 3880	3500	tewymo.exe	cmd.exe
PID 3500 wrote to memory of 3880	3500	tewymo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
"C:\Users\Admin\AppData\Local\Temp\e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\iwfeh.exe
  "C:\Users\Admin\AppData\Local\Temp\iwfeh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\tewymo.exe
    "C:\Users\Admin\AppData\Local\Temp\tewymo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\dodax.exe
      "C:\Users\Admin\AppData\Local\Temp\dodax.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
20e9893e9c6376bcd5b31577cc4cd920

SHA1
2e8311391fc6bedb98f7c364bf412f6f66569c44

SHA256
d02101ad651761c8dc18ffbc905b75aed8084ff0a7f76176676fceb2a901d7cb

SHA512
be455ac818085870d33b6410501b541db6e85e0d82071bbd0a3b90ede9aacdb8e3b4e004c4a88a76d7952633ac76ecdf908e61b49cdae686d50db32baabaac76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2cd345598aa15cbc010e6d60eba1f04b

SHA1
0b0ae13c78ce0b7ddb8cbdd0b0f353648de598a8

SHA256
6990347d7d663caa0ac49b54254e728a96eec0a0c622b7d3375d72b75de60d6f

SHA512
6f4f97acac1063f8a3e3841c7cc592f270653a941ffc0b8ffa79d97a6335ad532be6f3d54cacc2a2938bebb6d9e780267714846e7f9fc0b2f4b576f93b019795

Download Submit
C:\Users\Admin\AppData\Local\Temp\dodax.exe

Filesize
459KB

MD5
0e288540f96778f22f96e11f0d996536

SHA1
85a4158c1968ce463a078de321eb4f1798a387ce

SHA256
b7f6875912174f2761d9f237d99890939f6cdc113a94d47af3d08b181e179adc

SHA512
9a23738ef111e97b022aeb6b3bb6e169be6e9ee9cf512e6bfa3555a302f0c7011488be8a1a87751827eef53fae29b91b83c0df3dd9bca56056d00a9300c1aee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5ca4aa6f0d73800075db8f7148c02676

SHA1
1f527890b6b6b488412b9f64a01dc28e44bec3a6

SHA256
835541a34bb5c4e8e92213921ccb0cd6bfc90bb9de4205cf8655a0d86e0e15db

SHA512
ad56a308272aca89efddb30041620b6d27c28f1d7ab8a5936428ab259ac11293505566c616ab082da3032c2ca3fb3f8d788c82aa3b72c38452c0db363afe7429

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwfeh.exe

Filesize
6.4MB

MD5
22a790abc4c1f66bf582dede5a43880e

SHA1
e05fd8c4f09a2e015b0a01af8f601b2724101d45

SHA256
13500f1bbfd5f17941edd637d0aae9e5e26118ffd9634e7665ec3b40e993b28b

SHA512
bc4307c2a5eeb19805e4af2f4d8ce1d44d2251b493a9339b4c0fbacfe7fae856e1f490bfade7c375efb2a5dec09b544e029a99d7e2177978726a0deca75cc558

Download Submit
memory/1944-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1944-25-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1944-2-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1944-1-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/1944-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1944-5-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1944-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1944-4-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1944-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1944-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/1944-9-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1944-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1944-3-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2444-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2444-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3084-33-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3084-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-30-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3084-29-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3084-28-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3084-32-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/3084-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-31-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3084-34-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3084-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3500-55-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3500-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3500-50-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3500-51-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3500-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3500-54-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3500-53-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3500-52-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads