urelas | 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47

General

Target

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Size

6.5MB
MD5

5a0997fb887c620d2815135e9a8f9e00
SHA1

b60b295c2ee512364978eb9d0dad3de46ab91a80
SHA256

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47
SHA512

99eaa2bd1e12fa9f07458930e59b66fa5e9370983df605189c6b2dc147a2389c0bf668bed010512b432f705635fa071359dbd6ae499ee7653e2649a100b70b68
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSq:i0LrA2kHKQHNk3og9unipQyOaOq

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ocufve.exe7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exefesyc.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ocufve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fesyc.exe

Executes dropped EXE 3 IoCs

Processes:

fesyc.exeocufve.exemopub.exe

pid	Process
3812	fesyc.exe
4552	ocufve.exe
2468	mopub.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023cca-65.dat	upx
behavioral2/memory/2468-72-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2468-76-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exefesyc.execmd.exeocufve.exemopub.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fesyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocufve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mopub.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exefesyc.exeocufve.exemopub.exe

pid	Process
4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
3812	fesyc.exe
3812	fesyc.exe
4552	ocufve.exe
4552	ocufve.exe
2468	mopub.exe
2468	mopub.exe
2468	mopub.exe
2468	mopub.exe
2468	mopub.exe
2468	mopub.exe
2468	mopub.exe
2468	mopub.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exefesyc.exeocufve.exe

description	pid	Process	procid_target
PID 4436 wrote to memory of 3812	4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	87
PID 4436 wrote to memory of 3812	4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	87
PID 4436 wrote to memory of 3812	4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	87
PID 4436 wrote to memory of 3272	4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	88
PID 4436 wrote to memory of 3272	4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	88
PID 4436 wrote to memory of 3272	4436	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	88
PID 3812 wrote to memory of 4552	3812	fesyc.exe	90
PID 3812 wrote to memory of 4552	3812	fesyc.exe	90
PID 3812 wrote to memory of 4552	3812	fesyc.exe	90
PID 4552 wrote to memory of 2468	4552	ocufve.exe	102
PID 4552 wrote to memory of 2468	4552	ocufve.exe	102
PID 4552 wrote to memory of 2468	4552	ocufve.exe	102
PID 4552 wrote to memory of 1504	4552	ocufve.exe	103
PID 4552 wrote to memory of 1504	4552	ocufve.exe	103
PID 4552 wrote to memory of 1504	4552	ocufve.exe	103

C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
"C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\fesyc.exe
  "C:\Users\Admin\AppData\Local\Temp\fesyc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\ocufve.exe
    "C:\Users\Admin\AppData\Local\Temp\ocufve.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\mopub.exe
      "C:\Users\Admin\AppData\Local\Temp\mopub.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
aefef7aa7f0199676941b34c9df61960

SHA1
434c6975ecf2b18e57feb8c0d8b5e77cb744b8ea

SHA256
1da8dec5db869ff91420ce9c81579acbae649d5954905f91fb8987b0ff09eb79

SHA512
811b8508670f8680449aa1d13f1b7db5faeaf67cc228f34afa3f765df9582491b36a5df29518eff1290d616b1daddf41672aa57dd884831cda5a16a092ae2826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
92dbc6bfa006a6130588dbf4eb318640

SHA1
2bf41095e93ff5c3e5fe494f4b56612dba9c8e66

SHA256
b5759be79ed8e444cb9184fe5c79dc7c3fe00a673fe027cd75a9f52fe39c2da8

SHA512
212b218460437eee82c2f1cd0a0ad77edf4ef8a08a8402902ac90a217d5f06c9fcdce10aa5b6c2467f272f32a1ca3513b3ea6eca755f857a82a28a8e36091588

Download Submit
C:\Users\Admin\AppData\Local\Temp\fesyc.exe

Filesize
6.5MB

MD5
70e554120674e54a0c57420710c31940

SHA1
6d3d4450f546b71b3cc72829e9b8056d5b8994d8

SHA256
baf1f195c5cfc8eba4b3ea1d5abe40658453739c68bdc866a8035279c0e4d629

SHA512
187ce2d5a075b9d312e6b6ec4c63b88f6515fec846add56b3cff6e77f51ef2e9ff56e11be436136417a4b5ea6425d11b59db07c773661eebae9c6f87c3948d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
57d9488bc8b2583f561f3cb007255f13

SHA1
b24a8e0370aed40c60bd491c432fad354580f433

SHA256
050ad1bbaeb64f44c72abaa4728be8aa6c2388ac0a1ebe14be79040e04a9385b

SHA512
5b8b7fde904d45b6a06edbf4a9325798ec0bc6856fd36bee38e7cffba5131385382f0a056e0f7d3b36cf31b3e96082bacad375ac32ed290e562793df47a7cbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mopub.exe

Filesize
459KB

MD5
e0adb815f6e87b3a6fe4be763bd546a9

SHA1
587d0d9357ab636f0ef2773ea1f06e93ca38532e

SHA256
0e749b53bf9537ec4d7d2bb6e57726a61a490f5084f4228fc1b1d5073f28adb9

SHA512
2c91bc105d4e31a432293b1a530ce0906824e69376dd09668448b760f0796dd5d851c2baece6b6173fd840d7fedb0d09a03228daf4f13f923806e930d56b3d6b

Download Submit
memory/2468-76-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2468-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3812-28-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3812-29-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3812-30-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3812-33-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3812-31-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3812-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3812-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3812-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3812-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3812-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3812-34-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/4436-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4436-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4436-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4436-2-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/4436-3-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/4436-8-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/4436-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/4436-6-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4436-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4436-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/4552-55-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/4552-52-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/4552-51-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/4552-50-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/4552-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4552-53-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/4552-54-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/4552-73-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4552-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4552-56-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/4552-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads