urelas | 957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4

General

Target

957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe
Size

1.1MB
MD5

1cd06da3cd3bca9f799fcc8df4fd76d0
SHA1

d24eef01099a4daa0c26b273baf541de2cf5f577
SHA256

957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4
SHA512

b4a285b5596a4e04ef650bd6fadb8abb32418a2cd3271e3a2b4d0f7d990130e932f33c6af25e0d549c857145c6fc5cb59b1fe221594f0495709d619bb05fe175
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Y1:tcykpY5852j6aJGl5cqB8

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2248	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

pyzin.exejuhoyv.exekokut.exe

pid	Process
3056	pyzin.exe
2376	juhoyv.exe
1808	kokut.exe

Loads dropped DLL 5 IoCs

Processes:

957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exepyzin.exejuhoyv.exe

pid	Process
2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe
2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe
3056	pyzin.exe
3056	pyzin.exe
2376	juhoyv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0009000000018669-45.dat	upx
behavioral1/memory/2376-44-0x0000000003D20000-0x0000000003EB9000-memory.dmp	upx
behavioral1/memory/1808-53-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1808-58-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pyzin.execmd.exejuhoyv.exekokut.execmd.exe957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyzin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	juhoyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kokut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

kokut.exe

pid	Process
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe
1808	kokut.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exepyzin.exejuhoyv.exe

description	pid	Process	procid_target
PID 2096 wrote to memory of 3056	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	31
PID 2096 wrote to memory of 3056	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	31
PID 2096 wrote to memory of 3056	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	31
PID 2096 wrote to memory of 3056	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	31
PID 2096 wrote to memory of 2248	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	32
PID 2096 wrote to memory of 2248	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	32
PID 2096 wrote to memory of 2248	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	32
PID 2096 wrote to memory of 2248	2096	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	32
PID 3056 wrote to memory of 2376	3056	pyzin.exe	34
PID 3056 wrote to memory of 2376	3056	pyzin.exe	34
PID 3056 wrote to memory of 2376	3056	pyzin.exe	34
PID 3056 wrote to memory of 2376	3056	pyzin.exe	34
PID 2376 wrote to memory of 1808	2376	juhoyv.exe	35
PID 2376 wrote to memory of 1808	2376	juhoyv.exe	35
PID 2376 wrote to memory of 1808	2376	juhoyv.exe	35
PID 2376 wrote to memory of 1808	2376	juhoyv.exe	35
PID 2376 wrote to memory of 2424	2376	juhoyv.exe	36
PID 2376 wrote to memory of 2424	2376	juhoyv.exe	36
PID 2376 wrote to memory of 2424	2376	juhoyv.exe	36
PID 2376 wrote to memory of 2424	2376	juhoyv.exe	36

C:\Users\Admin\AppData\Local\Temp\957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe
"C:\Users\Admin\AppData\Local\Temp\957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\pyzin.exe
  "C:\Users\Admin\AppData\Local\Temp\pyzin.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\juhoyv.exe
    "C:\Users\Admin\AppData\Local\Temp\juhoyv.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\kokut.exe
      "C:\Users\Admin\AppData\Local\Temp\kokut.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
0745769dfcccc782a1be035c72ad5a80

SHA1
9eb4ee056290e078c9c4f0f90baf021f6f6918bb

SHA256
57ad03f6a04ee18621a62d12f077903c7f466498dfe4873fb64b0478fd3f470e

SHA512
64e2e54800767bf7b9049e4d3321174c2e49f5b8f1dae861eef3472993e2cdfbdbf4ccd3635329612b8c18068e99a715d02019b6652acd349e33d09533931d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cacef9847d3eb06884ebab2fa8c980ca

SHA1
791ee1b7b5b38184f5c10fa12d225828d86d5259

SHA256
8b846fd15a4fc286bd6501081caff1060e6f9e9ac4d7f78b2094d6c137e3862c

SHA512
af2dc22b065495e55568287fe2f155ea467b463c8d4251079ac07d6116bd9cfd10d41ec66f3149c17dac9f017f27f9be07c2e8944f4374da6bda4937ee6abc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2375600bd93b3743283e0175c45b82c7

SHA1
5fb8f35277421956559c37fb7c7fb672a2fc1177

SHA256
48f04e89b85bd03d3780f4ba325d0672629e83b50a8f6d4ae04b73b4145e196a

SHA512
923e2b5a12e7b876808b80f96772c07bc743867ad6b9325882517890103d432352edbd167739d421a7bfc12143ed8440bde96bb7e7282c61263827fea213245c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kokut.exe

Filesize
459KB

MD5
267c4f06d9637e60c434595641e247f7

SHA1
bb2d288c9762777d3713c73ff58a9e8da88f2aa1

SHA256
35e42701210e1380ca2e2ac6305e64ac67a6f5fa4128258d15ee259565640f23

SHA512
553bb11fb3e51f56dfb7b8bd42e6b0c21be121191858e688753745317d1f046f7e27e9fb7d5ebad5cb754874fb7f06d974ca13f4b1f3fe1bd6047bb8c9aeff84

Download Submit
\Users\Admin\AppData\Local\Temp\pyzin.exe

Filesize
1.1MB

MD5
596939459aeab2abe99666b4db5d4b00

SHA1
abef1dd1c5aabfe2f3b2854c96ba8899f707774c

SHA256
f00c19db329b26334488d0b58a04f609ffb79551b8c86c8428d4418dc357b056

SHA512
3c0889bd013731628fd483f6ce3c9c41da819a60437d3a86204b0c363c169c8e6938bee98a2ff375ab07a345df4738bca773db33584773e7b2719b28c11e14f8

Download Submit
memory/1808-58-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1808-53-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2096-22-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2096-11-0x00000000025F0000-0x0000000002714000-memory.dmp

Filesize
1.1MB

Download
memory/2096-1-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2376-44-0x0000000003D20000-0x0000000003EB9000-memory.dmp

Filesize
1.6MB

Download
memory/2376-36-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2376-54-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3056-35-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3056-32-0x0000000003370000-0x0000000003494000-memory.dmp

Filesize
1.1MB

Download
memory/3056-21-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads