urelas | 82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaada

General

Target

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe
Size

555KB
MD5

cf52553cc6aee257442fe260af2f93d0
SHA1

8a11ac52fec6b34bbe9c6db52aa883afc9b0f1bd
SHA256

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaada
SHA512

cd00bb53fd936434b818998262fc3b8233a179be85ad8305d13f2afdfaa63d8b3b7e2eb6adc3bdc8acc3b073e1c3e6809dbb47f854c65cbdc53cc0b700ba172e
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy6:znPfQp9L3olqF6

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2432 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

devoz.execurov.exe

pid process

2272 devoz.exe
2540 curov.exe
Loads dropped DLL 2 IoCs

Processes:

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exedevoz.exe

pid process

2236 82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe
2272 devoz.exe

pid	process
2432	cmd.exe

pid	process
2272	devoz.exe
2540	curov.exe

pid	process
2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe
2272	devoz.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\devoz.exe	upx
behavioral1/memory/2236-15-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2272-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2272-22-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2272-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\devoz.exe	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exedevoz.execmd.execurov.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curov.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

curov.exe

pid	process
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe
2540	curov.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exedevoz.exe

description	pid	process	target process
PID 2236 wrote to memory of 2272	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	devoz.exe
PID 2236 wrote to memory of 2272	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	devoz.exe
PID 2236 wrote to memory of 2272	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	devoz.exe
PID 2236 wrote to memory of 2272	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	devoz.exe
PID 2236 wrote to memory of 2432	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	cmd.exe
PID 2236 wrote to memory of 2432	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	cmd.exe
PID 2236 wrote to memory of 2432	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	cmd.exe
PID 2236 wrote to memory of 2432	2236	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	cmd.exe
PID 2272 wrote to memory of 2540	2272	devoz.exe	curov.exe
PID 2272 wrote to memory of 2540	2272	devoz.exe	curov.exe
PID 2272 wrote to memory of 2540	2272	devoz.exe	curov.exe
PID 2272 wrote to memory of 2540	2272	devoz.exe	curov.exe

C:\Users\Admin\AppData\Local\Temp\82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe
"C:\Users\Admin\AppData\Local\Temp\82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\devoz.exe
  "C:\Users\Admin\AppData\Local\Temp\devoz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\curov.exe
    "C:\Users\Admin\AppData\Local\Temp\curov.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
06678586276f00e0f46939e4badd8cac

SHA1
31c7cbc38411e53714177d91076225d74b312745

SHA256
6106ae1cda2a57e48c9b16a2c2ae70ff73a43f19cd4fca74435d224eb159049d

SHA512
3dc125555297a95b6205e5a2844233f541ba64f19d71f74d919522b009ed17c8b925276cbf46e3f202f85a056f951889f3c17cf6751854ad7817176e12f87c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\devoz.exe

Filesize
555KB

MD5
3df92624a856a3d63beee639879da454

SHA1
71a47b105888c0d39a31221e822a4ea42072f3c8

SHA256
1b9e66f247a70cc34544688f6d03003acaedfb6a774e8ff2754ff76085c421d4

SHA512
8ceb1ab8a1bec2eb61764829dc3100f98396a311f80391941344340202dbcbf94b70d8550871c002bed56a04fd78e34621ae80b425591ee89d60e050e539bce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ab4daf131699b875e60dfb73f1832327

SHA1
43545621067f4744a50de867ec43078a4561eb36

SHA256
f903e824a93ae9da30dbe4fc2ae40059fed3456ac2965ef2ec06dd45179aca3e

SHA512
6d3784a276ef4ff62a3d9f8aafbdd475f30b769e5fc27b62f24d8c7cba1bf53b8d6a802910c5c3366d5ee55586e01b086be59d65f54884ad5d5ad2d3b398b267

Download Submit
\Users\Admin\AppData\Local\Temp\curov.exe

Filesize
194KB

MD5
cfb0debc42b4271586d0bc934c653734

SHA1
37f6864ae1238b58d14e3d1f690a20deb6176871

SHA256
ff78c077a680096af15a2bd0b29877ae57ef0c496792d0b6dca1543c2d6e62c0

SHA512
e504800d3fdca63618e8074d96f3955de182c138aa14a1838f9419d82a0ecddb7982df1f730d96555fefdf5a323d967236393a94d1e5495b66ca7fca204e7bf2

Download Submit
\Users\Admin\AppData\Local\Temp\devoz.exe

Filesize
555KB

MD5
dea5b627b2b51a1a87b614cb6713bef3

SHA1
5d8bf3d27f10b43da75323bcaf3059f7e2daf777

SHA256
239701e75cec4086263a38999eacad3060ce1535469538e188d6187743587d89

SHA512
29e1bbb6fcb7f86b74b3a95230c361cf35c3ae60b4c0696e84c2b4ccb001fcabac118c7286b77f9ad9e1416dc24bf05999414fec29c5a01375104363fa773ed2

Download Submit
memory/2236-16-0x00000000026B0000-0x0000000002766000-memory.dmp

Filesize
728KB

Download
memory/2236-15-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2236-21-0x00000000026B0000-0x0000000002766000-memory.dmp

Filesize
728KB

Download
memory/2236-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2272-22-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2272-27-0x0000000003CD0000-0x0000000003D64000-memory.dmp

Filesize
592KB

Download
memory/2272-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2272-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2540-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2540-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2540-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2540-36-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2540-37-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2540-38-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads