urelas | f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e

General

Target

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Size

6.5MB
MD5

897f9c7d871aa6cfee73a8a226b2ce00
SHA1

71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
SHA256

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
SHA512

d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ruhoce.exef5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exegedev.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ruhoce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	gedev.exe

Executes dropped EXE 3 IoCs

Processes:

gedev.exeruhoce.exerukoc.exe

pid	Process
3388	gedev.exe
2812	ruhoce.exe
3124	rukoc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0009000000023cd7-64.dat	upx
behavioral2/memory/3124-71-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3124-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exef5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exegedev.execmd.exeruhoce.exerukoc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gedev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruhoce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rukoc.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exegedev.exeruhoce.exerukoc.exe

pid	Process
632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
3388	gedev.exe
3388	gedev.exe
2812	ruhoce.exe
2812	ruhoce.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe
3124	rukoc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exegedev.exeruhoce.exe

description	pid	Process	procid_target
PID 632 wrote to memory of 3388	632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	86
PID 632 wrote to memory of 3388	632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	86
PID 632 wrote to memory of 3388	632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	86
PID 632 wrote to memory of 772	632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	87
PID 632 wrote to memory of 772	632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	87
PID 632 wrote to memory of 772	632	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	87
PID 3388 wrote to memory of 2812	3388	gedev.exe	90
PID 3388 wrote to memory of 2812	3388	gedev.exe	90
PID 3388 wrote to memory of 2812	3388	gedev.exe	90
PID 2812 wrote to memory of 3124	2812	ruhoce.exe	108
PID 2812 wrote to memory of 3124	2812	ruhoce.exe	108
PID 2812 wrote to memory of 3124	2812	ruhoce.exe	108
PID 2812 wrote to memory of 4544	2812	ruhoce.exe	109
PID 2812 wrote to memory of 4544	2812	ruhoce.exe	109
PID 2812 wrote to memory of 4544	2812	ruhoce.exe	109

C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\gedev.exe
  "C:\Users\Admin\AppData\Local\Temp\gedev.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\ruhoce.exe
    "C:\Users\Admin\AppData\Local\Temp\ruhoce.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\rukoc.exe
      "C:\Users\Admin\AppData\Local\Temp\rukoc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
99c774238dde8dcabbcbd9218b3186a0

SHA1
db3cc894f3457dd2a28d2bf15c63159c4c8b634e

SHA256
cbe3415c7e081687de8473980ee98e6271e9b9fc9a07c91d1ea3858ba29b270e

SHA512
6863c40cd29af1e5074269dbd77e493ebc527a4e065166a55abeee892cbf121cf22cbda37f5cf3f92e4bcf1a86b82db95f0312f51f1e69482570b9b212bd6430

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c6b4fd9724d3acadde72f074b7f72e0c

SHA1
412fdeafd1e880316ab987fa848e3009585b94d9

SHA256
d97bfd0af4f028ae86a2ccf92a9e8ff78773409b33836691638ff799060714e5

SHA512
c8cb44b0982d6bdc30209ad752c3dae18de9d9827d9d8fd51b6c7b882952020367f42ad045f4366c92cf768dba3c27bcdceb27e93d3961856c4af149cecf49ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gedev.exe

Filesize
6.5MB

MD5
e8b88762d5594168038d6d7641011883

SHA1
beb51257b6e7628f6d1c0f062db302d852256917

SHA256
1e68589f03bf9f1070a005adc42146161e12dbdfa0996242a7c54c3ec0c2b4a6

SHA512
8818f5f7bc2ed1ee6e8c651c79fa3fa6a8255bbe4744af8b362fcb93e9508d733356b52bde2b6b303c1e1dae6c78bd9c5460e442e5230eb9c5fc45c2b50fcc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
50ffcff27c1deda79c9431ed2fdf16c3

SHA1
2e4b99d338b3bdf07cd041ceaf83d2aec6ab02bf

SHA256
8b05dbba9b7bfb7ae8eb0dc097d5def24919d5f340b7a3e90914f4b001a5f3ac

SHA512
1db5e2dc8fbaec7ecdef19cd7a99f255e203c57cc87d11faa42682ce24c0adcdbd38d14e99b750f67b1f30085d99d0bc088673f84634c546fcfca2c4c95ee5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rukoc.exe

Filesize
459KB

MD5
7765b43b21beef9e44d6ed78756deb36

SHA1
5934011912a3b161508c48c0e62e8fb93126b324

SHA256
f66dc207b565a3fe2d10b62898b915e2ec927274e2b15fef6147d3706686ef27

SHA512
f0e70ffdb462aff14e0247e67ee072779b9b299961faddd0ff89e637fdfbfbbe6bb75d96f7a41cf2fd8a73d421ae5e0352a0610be907ba0f9b9b7e170181126d

Download Submit
memory/632-1-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/632-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/632-6-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/632-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/632-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/632-10-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/632-8-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/632-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/632-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/632-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/632-2-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/632-3-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/632-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2812-53-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2812-52-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2812-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2812-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2812-49-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/2812-50-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/2812-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2812-55-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2812-54-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2812-51-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3124-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3124-71-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3388-29-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/3388-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3388-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3388-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3388-34-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3388-30-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/3388-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3388-31-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/3388-32-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3388-28-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/3388-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3388-33-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads