urelas | 5e5c02c531739d8ba66ce5aa431e4443c2d5178a87ad6d957a566b418c445913

General

Target

712e479001a3b483063b6a4d4b5964d0N.exe
Size

84KB
MD5

712e479001a3b483063b6a4d4b5964d0
SHA1

11e47965cf00426997d9f569178c53fcf674a9c2
SHA256

5e5c02c531739d8ba66ce5aa431e4443c2d5178a87ad6d957a566b418c445913
SHA512

a7e6a89ad4d0014370621b45725cd64a40ddb42d30dd7c10bb4b22f5a232e3c3265a80b1be6b9dd0a9d7130642452873ab1b9c1b2e8db00fb51e96df49985045
SSDEEP

1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURd:JznH976dUCnuniDB

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

712e479001a3b483063b6a4d4b5964d0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation	712e479001a3b483063b6a4d4b5964d0N.exe

Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

3864 huter.exe

pid	process
3864	huter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4628-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral2/memory/3864-15-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/4628-18-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3864-21-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3864-23-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3864-29-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

712e479001a3b483063b6a4d4b5964d0N.exehuter.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	712e479001a3b483063b6a4d4b5964d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

712e479001a3b483063b6a4d4b5964d0N.exe

description	pid	process	target process
PID 4628 wrote to memory of 3864	4628	712e479001a3b483063b6a4d4b5964d0N.exe	huter.exe
PID 4628 wrote to memory of 3864	4628	712e479001a3b483063b6a4d4b5964d0N.exe	huter.exe
PID 4628 wrote to memory of 3864	4628	712e479001a3b483063b6a4d4b5964d0N.exe	huter.exe
PID 4628 wrote to memory of 2504	4628	712e479001a3b483063b6a4d4b5964d0N.exe	cmd.exe
PID 4628 wrote to memory of 2504	4628	712e479001a3b483063b6a4d4b5964d0N.exe	cmd.exe
PID 4628 wrote to memory of 2504	4628	712e479001a3b483063b6a4d4b5964d0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe
"C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a01dba4c45102fc15292fd5591166536

SHA1
d96191c30e0f09439d8547f4ededbf6726ccd54b

SHA256
cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904

SHA512
277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
84KB

MD5
891d6f54ce84db2ace947024f1b24938

SHA1
5e19efacb5dcad893f3b78b135febaac38709594

SHA256
47c0dbfcc8b84272f0e258261a90242aeeeeecb015f6379add048dba9f85eaa5

SHA512
4bbc08c3ba38db99a000b0cf90fcd134edf757d4ab26c6d5e86d85846923943bc8463561da8d6d23c45416b0d6ad10f134baebcc9de0e61b5b5ac59b85312e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
f938d0796f9bc8a9a5d2d746e9b1b373

SHA1
bb37010a8cb00fdc6709dba3cb29f16b2b86a2c5

SHA256
5f666132f16a5fa4b91310258545cb0446b16ac65130dfa10547ce3329e0c3a4

SHA512
de56e12498f652170ae03dc49ef04f185ff50f5cce30ed1fee4cc4af4c5a76f6b6667ab1cde19886034395f040362cda6b730ded8e12f95127e9b50059222a2c

Download Submit
memory/3864-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3864-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3864-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3864-29-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4628-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4628-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads