urelas | f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e

General

Target

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Size

6.5MB
MD5

897f9c7d871aa6cfee73a8a226b2ce00
SHA1

71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
SHA256

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
SHA512

d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exezilua.exerigure.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	zilua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	rigure.exe

Executes dropped EXE 3 IoCs

Processes:

zilua.exerigure.exenotuz.exe

pid process

3928 zilua.exe
3096 rigure.exe
3184 notuz.exe

pid	process
3928	zilua.exe
3096	rigure.exe
3184	notuz.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\notuz.exe	upx
behavioral2/memory/3184-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3184-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exef5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exezilua.execmd.exerigure.exenotuz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zilua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rigure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notuz.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exezilua.exerigure.exenotuz.exe

pid	process
2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
3928	zilua.exe
3928	zilua.exe
3096	rigure.exe
3096	rigure.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe
3184	notuz.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exezilua.exerigure.exe

description	pid	process	target process
PID 2544 wrote to memory of 3928	2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	zilua.exe
PID 2544 wrote to memory of 3928	2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	zilua.exe
PID 2544 wrote to memory of 3928	2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	zilua.exe
PID 2544 wrote to memory of 1836	2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	cmd.exe
PID 2544 wrote to memory of 1836	2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	cmd.exe
PID 2544 wrote to memory of 1836	2544	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	cmd.exe
PID 3928 wrote to memory of 3096	3928	zilua.exe	rigure.exe
PID 3928 wrote to memory of 3096	3928	zilua.exe	rigure.exe
PID 3928 wrote to memory of 3096	3928	zilua.exe	rigure.exe
PID 3096 wrote to memory of 3184	3096	rigure.exe	notuz.exe
PID 3096 wrote to memory of 3184	3096	rigure.exe	notuz.exe
PID 3096 wrote to memory of 3184	3096	rigure.exe	notuz.exe
PID 3096 wrote to memory of 2216	3096	rigure.exe	cmd.exe
PID 3096 wrote to memory of 2216	3096	rigure.exe	cmd.exe
PID 3096 wrote to memory of 2216	3096	rigure.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\zilua.exe
  "C:\Users\Admin\AppData\Local\Temp\zilua.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\rigure.exe
    "C:\Users\Admin\AppData\Local\Temp\rigure.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\notuz.exe
      "C:\Users\Admin\AppData\Local\Temp\notuz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
648266b1aba852bd22379f048bffb89c

SHA1
823570aed8ac39ccd25cb67539652b03cec52283

SHA256
dfe3961d3369b10df2483280f13ddeaf75d0c7569cf396275260edee3a2e2856

SHA512
f9a0c8fa6eca49c9aa159115632e9a0cc1285c6e275c2a0c1330a8a31c63db20708b0f2974d795f0f27e22b97b30f4d9ef1d7f9fffb863d791e252b743cd36ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
99c774238dde8dcabbcbd9218b3186a0

SHA1
db3cc894f3457dd2a28d2bf15c63159c4c8b634e

SHA256
cbe3415c7e081687de8473980ee98e6271e9b9fc9a07c91d1ea3858ba29b270e

SHA512
6863c40cd29af1e5074269dbd77e493ebc527a4e065166a55abeee892cbf121cf22cbda37f5cf3f92e4bcf1a86b82db95f0312f51f1e69482570b9b212bd6430

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
075d051fe0dfbe9c521a6e5b0208ffa5

SHA1
c4bdcb64f7a608cc68ffad4e44b7fbd6abeb889e

SHA256
229861765b43a2d9a30cdbbc5ab46643aeaec12b0eaa4da136e3f8d9e0b5a79e

SHA512
1d144d679e387c534daf1701dfb78e4239ba36525eecec0494cc379e971a29aba28fd805dfc8d24bfa55b417f25e733005dcfdd33064777c44142395ec0c69a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\notuz.exe

Filesize
459KB

MD5
c7d39e49ece7f7c82737ba0f317a2860

SHA1
0c1c7aed1f2570a7c4d4478d71f4bd73ad52d5b1

SHA256
fc407d5c85803dc0ac78206b5f153eb464ac35d28b92efe75994c2d3b5e21f2c

SHA512
ccefc836a9516f4056b6656ee82f4ae76c93f37c6b98edffbf95d59491c682350d94b458f0a5bb08f49bb60e89510274a41d4e4aef18584eec784978d025f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\zilua.exe

Filesize
6.5MB

MD5
da45587ca740d3d8951fc9f3b4428800

SHA1
e5e11de8f8aeb63577363841ba802ef9f0d389af

SHA256
30c13a82b9ee8b11220cab130625be099642c0bce7bad392323f46bddef7dc45

SHA512
bf9534d6856f5837b152c10844a24dc829f0045296b73a5686979f0841e4b58c1a1e8731122074fcc148a91a911d54f579a46b09ade25d2c7cb2e2c599364144

Download Submit
memory/2544-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2544-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2544-8-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2544-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2544-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2544-2-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/2544-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2544-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2544-5-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2544-3-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2544-7-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/2544-6-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3096-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3096-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3096-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3096-50-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3096-51-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/3096-53-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3096-54-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3096-49-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3096-52-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3096-55-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3184-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3184-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3928-34-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3928-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3928-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3928-28-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3928-29-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3928-30-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3928-31-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/3928-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3928-32-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3928-33-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/3928-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3928-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads