urelas | 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47

General

Target

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Size

6.5MB
MD5

5a0997fb887c620d2815135e9a8f9e00
SHA1

b60b295c2ee512364978eb9d0dad3de46ab91a80
SHA256

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47
SHA512

99eaa2bd1e12fa9f07458930e59b66fa5e9370983df605189c6b2dc147a2389c0bf668bed010512b432f705635fa071359dbd6ae499ee7653e2649a100b70b68
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSq:i0LrA2kHKQHNk3og9unipQyOaOq

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ycass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	kuizso.exe

Executes dropped EXE 3 IoCs

pid	Process
4436	ycass.exe
4064	kuizso.exe
3488	bidyw.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023ccc-65.dat	upx
behavioral2/memory/3488-72-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3488-76-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuizso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bidyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
4436	ycass.exe
4436	ycass.exe
4064	kuizso.exe
4064	kuizso.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe
3488	bidyw.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4436	4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	89
PID 4008 wrote to memory of 4436	4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	89
PID 4008 wrote to memory of 4436	4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	89
PID 4008 wrote to memory of 2336	4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	90
PID 4008 wrote to memory of 2336	4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	90
PID 4008 wrote to memory of 2336	4008	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	90
PID 4436 wrote to memory of 4064	4436	ycass.exe	92
PID 4436 wrote to memory of 4064	4436	ycass.exe	92
PID 4436 wrote to memory of 4064	4436	ycass.exe	92
PID 4064 wrote to memory of 3488	4064	kuizso.exe	110
PID 4064 wrote to memory of 3488	4064	kuizso.exe	110
PID 4064 wrote to memory of 3488	4064	kuizso.exe	110
PID 4064 wrote to memory of 4620	4064	kuizso.exe	111
PID 4064 wrote to memory of 4620	4064	kuizso.exe	111
PID 4064 wrote to memory of 4620	4064	kuizso.exe	111

C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
"C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\ycass.exe
  "C:\Users\Admin\AppData\Local\Temp\ycass.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\kuizso.exe
    "C:\Users\Admin\AppData\Local\Temp\kuizso.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\bidyw.exe
      "C:\Users\Admin\AppData\Local\Temp\bidyw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
aefef7aa7f0199676941b34c9df61960

SHA1
434c6975ecf2b18e57feb8c0d8b5e77cb744b8ea

SHA256
1da8dec5db869ff91420ce9c81579acbae649d5954905f91fb8987b0ff09eb79

SHA512
811b8508670f8680449aa1d13f1b7db5faeaf67cc228f34afa3f765df9582491b36a5df29518eff1290d616b1daddf41672aa57dd884831cda5a16a092ae2826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a3c258d464020f58fe88073c55ba4dd7

SHA1
51139ee4204c8e6d8ce88c552de02461bcbdb943

SHA256
28969d59abdb705c625108b9a612a0c003ba74b0ccaf85735be3c338c7b9f1c9

SHA512
90a3b63c6f91714c4da1c694b58996a260e801d30d436770d71e7e43bade406c843e7efdb9417baf1c534f925b80f27db49d3094b1cbbc0093f08162c4563cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bidyw.exe

Filesize
459KB

MD5
84ca18a4884b2aa38ee6f0feea07bb92

SHA1
2c0f93f197ba33054bb8ef55a9aa49097bdaf640

SHA256
f4cfe0004f43844d44a37d95b79f0a3d81b2b26b0352b30067e793b0f4e614cb

SHA512
b09bbf4a7e72e5f3616a271d9b63cf9c604d17ef7fbbcb06683e6d1098d0136728c036ef5130e98abaa4159a3c59a0a9cfd1eaebd29b20eaef78f93d1c0c3270

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f9cb051042ce30c90833f52da930ce8a

SHA1
8e7441d2928bf3b9a4fc9e98ddc1e34fe752fa78

SHA256
f63b4724b013aa72460dda3efefb400b5fc984a58c1c95f575f44629a0cc66bb

SHA512
fffcbb52772083e81394964fdcc1be7af5ce09d5327a36797539bb60d6108e5d9bd065e2b74dfe489396aabf806c10c43697347825085d4844c1c8768d9307b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycass.exe

Filesize
6.5MB

MD5
2389b231d509c6e609b2ea4a5a1584d6

SHA1
85d656c2f8b87989054d7ca70bd16a5917a23b2d

SHA256
c9f6dbc162ae6cc11f0396e2b0d1353f7d04c19aba30f47f97971522c9b71996

SHA512
55f898e84edba89d2a10571e023ca335e5eef952ced39317b758b508db61e4c1ff212593a6b8273f531b12e22e7c34d224a4b333e67bf57cc8566620f8162df8

Download Submit
memory/3488-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3488-76-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4008-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4008-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/4008-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4008-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4008-6-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4008-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4008-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4008-7-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/4008-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4008-8-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/4008-1-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/4008-2-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/4008-3-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4064-56-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4064-53-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4064-73-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4064-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4064-51-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/4064-52-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/4064-50-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4064-54-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4064-55-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/4064-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-33-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/4436-32-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4436-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-29-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/4436-30-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4436-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-31-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/4436-34-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/4436-35-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4436-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing