urelas | a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4

General

Target

a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
Size

557KB
MD5

4622a1c2bba867048cb806ad43f8e3d0
SHA1

11f7083f9d3d1c03539175920d43c9d3dd23a72b
SHA256

a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4
SHA512

ff3c7aec51ff2d35faec5b7ca430183339c5158fe208be708c1518c123a7a231c2de0e811efc23051450b0126951e8b6234faa52a36a835f388b70c677a96777
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyP:znPfQp9L3olqFP

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lywue.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	lywue.exe
3992	qycur.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1420-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x000e000000023a68-6.dat	upx
behavioral2/memory/1420-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/2804-13-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/2804-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/2804-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lywue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qycur.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe
3992	qycur.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2804	1420	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	89
PID 1420 wrote to memory of 2804	1420	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	89
PID 1420 wrote to memory of 2804	1420	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	89
PID 1420 wrote to memory of 3472	1420	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	90
PID 1420 wrote to memory of 3472	1420	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	90
PID 1420 wrote to memory of 3472	1420	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	90
PID 2804 wrote to memory of 3992	2804	lywue.exe	107
PID 2804 wrote to memory of 3992	2804	lywue.exe	107
PID 2804 wrote to memory of 3992	2804	lywue.exe	107

C:\Users\Admin\AppData\Local\Temp\a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
"C:\Users\Admin\AppData\Local\Temp\a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\lywue.exe
  "C:\Users\Admin\AppData\Local\Temp\lywue.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\qycur.exe
    "C:\Users\Admin\AppData\Local\Temp\qycur.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9cf7ac7e50996aefcbc907ca75b9698e

SHA1
7ca3b2d2b64ff07e7cde2129370bbc0b53500e79

SHA256
11611bcf4151395df19ef76e3d857ebae1d34127ade1e7368143618244dcbaea

SHA512
facff2c52ad39ded9df69712db4be8965f5ee7ef736f42578bd081fbfed9ffba1202de4f1ff99764d60db9154e5a6032b3041730da547e4659297a48666cda17

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55e36c50f1edb83985acca95c9934540

SHA1
5ddcd32e4806eb4cd37dd863cce53aea7b5c5ca5

SHA256
138e293d5b1ce63fe390be826bc263338bd40bb72bae53393fca55a43ed1e545

SHA512
67b0ece72e798a3488c02046b1abffb7fe8ebb1b03bfb319114e0984e1bbaaa4d54007339e7dcca475c0660411cf3d1dea239317d6fcfb70c3fd1a7811cb844e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lywue.exe

Filesize
557KB

MD5
f4f655297d4cfc6e63dbb2d82cd0e34b

SHA1
0b231d092d976b72c0c53e63f6a8d0e23099e6d8

SHA256
e2355e44111c5839efb626b3fcedb14e5f08f3857ea9901dc22a526e5ab19b69

SHA512
a9948f686423718c80163f489e997c17d52ec56f42b538866e72ffd8cbb88142cde6b0abc5d981ffdd0730199363922e0052db5c9085bbd723c68825701ec54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qycur.exe

Filesize
194KB

MD5
8325697f3d3e5765c0f66744519a2b0c

SHA1
00b4263755cba369fe3b91e42a4a69cc05be86ad

SHA256
16265b783e4e4524fc4a4b9db5ce2c691f2b36dbc1517d4a88664a20fa3a993e

SHA512
58b94465504fecd4e94414f54b2d2d712e9c655f4c2373660d0b963945352232d22e2e45732930ffb6b37ce9925967ecabd5f51a6729f21c7a7d97f1786f2fc3

Download Submit
memory/1420-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1420-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2804-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2804-13-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2804-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3992-27-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3992-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3992-30-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3992-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3992-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing