urelas | d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270b

General

Target

d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe
Size

555KB
MD5

54002530f17a3dc3197385ae3d462ef0
SHA1

508027e0775aed07382caa8f66d7c686b604b6c7
SHA256

d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270b
SHA512

df9cc425f2ced137a61f8df50db50bca43fc651edbb2b34c8e4e568ec319396bceefe32043ca83e051e4697eb323ff61aee622813198f82e9cde795120c52aad
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy7:znPfQp9L3olqF7

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	argez.exe

Executes dropped EXE 2 IoCs

pid	Process
212	argez.exe
2268	moqoz.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2176-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x000e000000023ace-6.dat	upx
behavioral2/memory/212-12-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/2176-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/212-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/212-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	argez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moqoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe
2268	moqoz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 212	2176	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	87
PID 2176 wrote to memory of 212	2176	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	87
PID 2176 wrote to memory of 212	2176	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	87
PID 2176 wrote to memory of 3420	2176	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	88
PID 2176 wrote to memory of 3420	2176	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	88
PID 2176 wrote to memory of 3420	2176	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	88
PID 212 wrote to memory of 2268	212	argez.exe	106
PID 212 wrote to memory of 2268	212	argez.exe	106
PID 212 wrote to memory of 2268	212	argez.exe	106

C:\Users\Admin\AppData\Local\Temp\d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe
"C:\Users\Admin\AppData\Local\Temp\d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\argez.exe
  "C:\Users\Admin\AppData\Local\Temp\argez.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\moqoz.exe
    "C:\Users\Admin\AppData\Local\Temp\moqoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
5d846c9b3db0a4fb0cdbefc4fcb28f7e

SHA1
45676ba1f08ffc56b323ad6129aed2793880f7fb

SHA256
8ac145a334281111307407ad8dfb0fb5c2cf5a2c0428da77cf3ab7e5083adcbb

SHA512
11dd11d4e4f496d1693fa11b82c9197e6f20fc8d8dd73f8c333b6df182a844080209a9df5a3e8a43aa864abc95874561a5ed9e1a291f858586745c5b52c7ac64

Download Submit
C:\Users\Admin\AppData\Local\Temp\argez.exe

Filesize
555KB

MD5
a9d1e8ce6de910b4a98a8a57123b0a9e

SHA1
a4bcb3befefc1d808dc2884bcdcd6e3f550c45f2

SHA256
6fb8b3bbaa1302dd5f94f7cc174a8535cc4ce236c0824933a8f76c9d00ce7f44

SHA512
640bdd59915bb5518e13ec18198c1fc3255a7d029b9f6c8bb4fa6cea05a58c942d0fef36779b676937eb6e6379df8ab6a738b3710d17c4d1965a714eaf82acbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a25ea831adb9a1623329697bb80bdeec

SHA1
2c9c0c05d45a63c61580966eba7b97f598bd09ba

SHA256
c680156358e993ddb704df8d61852aefe4d5ae15e9de1da45e912337f2091ce8

SHA512
9d7192746f5dc889c59f8fafa86ced36092ebe7ef0fa0a4648c8e27c27adcadcce3e294139ac08cead4bb8c5a726ba6d5693689be478f97e30c7827bb699f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqoz.exe

Filesize
194KB

MD5
8da178b7e4aaccc31cdae7a8feb7f90f

SHA1
d05265e4fb93ff42c18f970e45ac785a998e3fbb

SHA256
c00f676e681ab7624174a7d0a531072713da6896bae00b9a6876cd85587b678f

SHA512
2301285e62ffcda6437bb989ba55f7c156a9d0e099f851b73bd9e84b82e79a9bb019526841c6c4a111c72221a1737b59a17c3e04e050d6d15cde41e72d10889a

Download Submit
memory/212-12-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/212-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/212-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2176-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2176-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2268-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2268-27-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2268-31-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2268-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2268-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing