urelas | 97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24

General

Target

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe
Size

619KB
MD5

90c0231150a3ad592f124b8fb89c94d0
SHA1

60c692ea970051dba63797f175fb20668a34c5b0
SHA256

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24
SHA512

f1747aa6bf856d1875b973f0bded047ca9e97f6b07b2c1158af0fbe381c222fcf893e48cbeaaced62b829fb92db13b2b46c6d4305e118d158263f5920c4d2506
SSDEEP

12288:8dBNKTCqqwXCcdgTY9+MvA+BisqYpxHte1oSC:8LjQC+Ps0Ya

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exexuyvb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	xuyvb.exe

Executes dropped EXE 2 IoCs

Processes:

xuyvb.exekauxo.exe

pid process

3112 xuyvb.exe
768 kauxo.exe

pid	process
3112	xuyvb.exe
768	kauxo.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/452-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\xuyvb.exe	upx
behavioral2/memory/3112-11-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/452-14-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3112-17-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3112-27-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kauxo.exe

pid	process
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe
768	kauxo.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exexuyvb.exe

description	pid	process	target process
PID 452 wrote to memory of 3112	452	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	xuyvb.exe
PID 452 wrote to memory of 3112	452	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	xuyvb.exe
PID 452 wrote to memory of 3112	452	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	xuyvb.exe
PID 452 wrote to memory of 3924	452	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	cmd.exe
PID 452 wrote to memory of 3924	452	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	cmd.exe
PID 452 wrote to memory of 3924	452	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	cmd.exe
PID 3112 wrote to memory of 768	3112	xuyvb.exe	kauxo.exe
PID 3112 wrote to memory of 768	3112	xuyvb.exe	kauxo.exe
PID 3112 wrote to memory of 768	3112	xuyvb.exe	kauxo.exe

C:\Users\Admin\AppData\Local\Temp\97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe
"C:\Users\Admin\AppData\Local\Temp\97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\xuyvb.exe
"C:\Users\Admin\AppData\Local\Temp\xuyvb.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Local\Temp\kauxo.exe
"C:\Users\Admin\AppData\Local\Temp\kauxo.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
04de77754541ae43691060d4233f6a20

SHA1
58c0c2163d25ffcf2537d37e5e7ec05fc3a65594

SHA256
c51c129f255bc738961be5f7ecd71c8250c07c18a488003a745105eb976702a5

SHA512
39bc7e3b5b4586bef04a88b12b26779df72f255f713a9807c89b0641232dd5a757e7d818cbec820657a30978ad5bdfd2baeaf2cdb6bb1e9c6228e1b2724c8f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
60cc964a786bf8f23dca9bef27d4fed8

SHA1
2418cf17ff64fbc98ea9cfeb99ea6a68d02e2daf

SHA256
b927888b5048dd611a6934f43f7df4e5882dba3465777ac32fbd74b1ce135efc

SHA512
a11f884254d6dfe8be80e4ff6e67aa15288bf28908b1f98f8d28b2b8f7f8adc78fdde2e74f004b88dcafe81a70927804fd51459cee705c10c16facb06ff3f128

Download Submit
C:\Users\Admin\AppData\Local\Temp\kauxo.exe
Filesize
241KB

MD5
c5e6a58707e13f53bb638a6a78b45e2a

SHA1
6983dd4c70fbff2204e5c7dc3e2288a4939d727b

SHA256
e771d4651dc8bc7720a90d9ca67c5c42911278c04f5f582d31c2f815adf428d3

SHA512
68c7b29552d9c12e3d521cfa4e6505bffc77b3fa60989dcf0719a0bbe254da95d485eea8d4498c9e6cf34e82fbd7bec93ef1286fd1a648b4ea4505477c9c6c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuyvb.exe
Filesize
619KB

MD5
612c6d22daf52f91bfcbf56a5324d85a

SHA1
dae82fee75323f32c0a8e6805473dfc14e937104

SHA256
c94d1245f4e9ee8c5c7cb354cb78afd3ea9d7738511c36f625291bb9756ab7a3

SHA512
265a80780c7c0447221e147bfa1a036e7e1aa524f7b9cd56bde3280c5b1c1f4b3e4bbb21a72a0eefdab7b595ce0cf5f064930697269a3d84c4f5ce85f85c274b

Download Submit
memory/452-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/452-14-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/768-31-0x00000000007F0000-0x00000000008A6000-memory.dmp

Filesize
728KB

Download
memory/768-26-0x00000000007F0000-0x00000000008A6000-memory.dmp

Filesize
728KB

Download
memory/768-28-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/768-30-0x00000000007F0000-0x00000000008A6000-memory.dmp

Filesize
728KB

Download
memory/768-32-0x00000000007F0000-0x00000000008A6000-memory.dmp

Filesize
728KB

Download
memory/768-33-0x00000000007F0000-0x00000000008A6000-memory.dmp

Filesize
728KB

Download
memory/768-34-0x00000000007F0000-0x00000000008A6000-memory.dmp

Filesize
728KB

Download
memory/3112-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3112-27-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3112-11-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads