urelas | 803b529bcbc525a567dc870da31858520c17ba81e28a27aca5ca76b01d2cd592

General

Target

ac10d066d14222656dad6bc235568a00N.exe
Size

6.5MB
MD5

ac10d066d14222656dad6bc235568a00
SHA1

db165f408c0b22d6e71e948bb23a469aac2fe276
SHA256

803b529bcbc525a567dc870da31858520c17ba81e28a27aca5ca76b01d2cd592
SHA512

2746168048bebe0497f29d883c412872018f071cf169f8b7ae9c9605e9769f5638c3ff70fe0d1e326821ae2820e6a68389baaaab61b657db24735f4ad9c129b7
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSw:i0LrA2kHKQHNk3og9unipQyOaOw

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ryifdu.exeac10d066d14222656dad6bc235568a00N.exesyvep.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ryifdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ac10d066d14222656dad6bc235568a00N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	syvep.exe

Executes dropped EXE 3 IoCs

Processes:

syvep.exeryifdu.exeovtay.exe

pid process

916 syvep.exe
1420 ryifdu.exe
528 ovtay.exe

pid	process
916	syvep.exe
1420	ryifdu.exe
528	ovtay.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ovtay.exe	upx
behavioral2/memory/528-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/528-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ryifdu.exeovtay.execmd.exeac10d066d14222656dad6bc235568a00N.exesyvep.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryifdu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovtay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac10d066d14222656dad6bc235568a00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syvep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

ac10d066d14222656dad6bc235568a00N.exesyvep.exeryifdu.exeovtay.exe

pid	process
3384	ac10d066d14222656dad6bc235568a00N.exe
3384	ac10d066d14222656dad6bc235568a00N.exe
916	syvep.exe
916	syvep.exe
1420	ryifdu.exe
1420	ryifdu.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe
528	ovtay.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ac10d066d14222656dad6bc235568a00N.exesyvep.exeryifdu.exe

description	pid	process	target process
PID 3384 wrote to memory of 916	3384	ac10d066d14222656dad6bc235568a00N.exe	syvep.exe
PID 3384 wrote to memory of 916	3384	ac10d066d14222656dad6bc235568a00N.exe	syvep.exe
PID 3384 wrote to memory of 916	3384	ac10d066d14222656dad6bc235568a00N.exe	syvep.exe
PID 3384 wrote to memory of 1036	3384	ac10d066d14222656dad6bc235568a00N.exe	cmd.exe
PID 3384 wrote to memory of 1036	3384	ac10d066d14222656dad6bc235568a00N.exe	cmd.exe
PID 3384 wrote to memory of 1036	3384	ac10d066d14222656dad6bc235568a00N.exe	cmd.exe
PID 916 wrote to memory of 1420	916	syvep.exe	ryifdu.exe
PID 916 wrote to memory of 1420	916	syvep.exe	ryifdu.exe
PID 916 wrote to memory of 1420	916	syvep.exe	ryifdu.exe
PID 1420 wrote to memory of 528	1420	ryifdu.exe	ovtay.exe
PID 1420 wrote to memory of 528	1420	ryifdu.exe	ovtay.exe
PID 1420 wrote to memory of 528	1420	ryifdu.exe	ovtay.exe
PID 1420 wrote to memory of 3640	1420	ryifdu.exe	cmd.exe
PID 1420 wrote to memory of 3640	1420	ryifdu.exe	cmd.exe
PID 1420 wrote to memory of 3640	1420	ryifdu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ac10d066d14222656dad6bc235568a00N.exe
"C:\Users\Admin\AppData\Local\Temp\ac10d066d14222656dad6bc235568a00N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\AppData\Local\Temp\syvep.exe
"C:\Users\Admin\AppData\Local\Temp\syvep.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\ryifdu.exe
"C:\Users\Admin\AppData\Local\Temp\ryifdu.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\ovtay.exe
"C:\Users\Admin\AppData\Local\Temp\ovtay.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
- System Location Discovery: System Language Discovery
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
278B

MD5
e9573e14b646336380998a9ee3c2afe9

SHA1
1e0e3e650ff1ad9ffecda30ecdfa716599fecf38

SHA256
76e6277308668e23a463fed9a3b68c7d5e6efbf951bba5bcb93796298e71d2a8

SHA512
79acef9a33699476a09f4437ce4976be6ffa19aecfc757ffb31c167edef475194b71ac1956ea27fe12729f121546f98e95055a19cbbb60257162dcdd15a297ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
fac134bcc3206613e8b8f76fc9bc8db8

SHA1
229251faf996f2012febe84c371623dd10f053d4

SHA256
166027b109633e0c408dc22bb38f7fcd8e41c110d8e872e5b89b0fcc7967ae19

SHA512
dd8d45c1ff4bd1939533df0facefb30188e385bfefbc8c8329cb89490d328b1086a5455649db8b9af23464229dbb6eb82f3e59fabb80f60c96415dd0b9f8650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c1adaa29fac1611dd5b81d6fe4c4cfb6

SHA1
2660319c47f4d1269e05da103c4b99db5fa1031e

SHA256
acb28eece200c34abe879b28b36ec90476f6680de7c2892439e2fcd8c5a622cf

SHA512
8e35fa74213a14f75fb3f588e6e49515ab2db1538d816fd4db087e005151c3623340e94f62e5fc99cdcf9edf6c5af84ce23335ed88024b711dcb506def5c5384

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovtay.exe

Filesize
459KB

MD5
a348e4ced2b3a303c97ad8b92545fc59

SHA1
4960db6b81f360cb7452cb03ba95c0c98bcd954a

SHA256
5f6e3b6dd099391c2c85e956231f5ff70bcd3597e1503c591489110f5201161d

SHA512
8b5f3894e145d68c436c7b6171c44f541395459ab96e58a1ffd6d6e684681790a247f0afd0dcd58c105d3887fbce4ced320593f25739754fd48ab82b023870e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\syvep.exe

Filesize
6.5MB

MD5
4a6ecff10c3f151d94ce2d7c14fe3298

SHA1
d92006ffb9b2e8da08346475ffc88eb4ddaecd77

SHA256
b2a61fc08d27e4f5d60a7b909727d36a4da4d7bab5b5c6e93daa568a5f5a5830

SHA512
6e75543dbcdb5ff5f3c0c31729ac1a02a7782c51f78b651c040422e2f98689eea789c7fedca77e4ca7092bd1cee4d2a36b9132d4be7e458e9402a4429985d268

Download Submit
memory/528-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/528-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/916-31-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/916-30-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/916-34-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/916-29-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/916-32-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/916-33-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/916-28-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/916-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/916-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/916-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/916-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/916-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1420-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1420-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1420-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1420-49-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1420-50-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1420-52-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1420-53-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1420-54-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1420-51-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/3384-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3384-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3384-6-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/3384-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3384-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3384-2-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3384-1-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/3384-7-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/3384-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3384-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3384-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3384-9-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3384-3-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads