urelas | 82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaada

General

Target

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe
Size

555KB
MD5

cf52553cc6aee257442fe260af2f93d0
SHA1

8a11ac52fec6b34bbe9c6db52aa883afc9b0f1bd
SHA256

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaada
SHA512

cd00bb53fd936434b818998262fc3b8233a179be85ad8305d13f2afdfaa63d8b3b7e2eb6adc3bdc8acc3b073e1c3e6809dbb47f854c65cbdc53cc0b700ba172e
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy6:znPfQp9L3olqF6

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iznul.exe82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	iznul.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe

Executes dropped EXE 2 IoCs

Processes:

iznul.execooxr.exe

pid process

1312 iznul.exe
2612 cooxr.exe

pid	process
1312	iznul.exe
2612	cooxr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3364-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\iznul.exe	upx
behavioral2/memory/1312-12-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3364-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1312-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1312-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

iznul.execmd.execooxr.exe82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iznul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cooxr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cooxr.exe

pid	process
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe
2612	cooxr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exeiznul.exe

description	pid	process	target process
PID 3364 wrote to memory of 1312	3364	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	iznul.exe
PID 3364 wrote to memory of 1312	3364	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	iznul.exe
PID 3364 wrote to memory of 1312	3364	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	iznul.exe
PID 3364 wrote to memory of 2452	3364	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	cmd.exe
PID 3364 wrote to memory of 2452	3364	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	cmd.exe
PID 3364 wrote to memory of 2452	3364	82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe	cmd.exe
PID 1312 wrote to memory of 2612	1312	iznul.exe	cooxr.exe
PID 1312 wrote to memory of 2612	1312	iznul.exe	cooxr.exe
PID 1312 wrote to memory of 2612	1312	iznul.exe	cooxr.exe

C:\Users\Admin\AppData\Local\Temp\82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe
"C:\Users\Admin\AppData\Local\Temp\82bd100ec0cd2947590fdbc2a62ed4a5a9011989235347b660d7d825b63aaadaN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\iznul.exe
  "C:\Users\Admin\AppData\Local\Temp\iznul.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\cooxr.exe
    "C:\Users\Admin\AppData\Local\Temp\cooxr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
06678586276f00e0f46939e4badd8cac

SHA1
31c7cbc38411e53714177d91076225d74b312745

SHA256
6106ae1cda2a57e48c9b16a2c2ae70ff73a43f19cd4fca74435d224eb159049d

SHA512
3dc125555297a95b6205e5a2844233f541ba64f19d71f74d919522b009ed17c8b925276cbf46e3f202f85a056f951889f3c17cf6751854ad7817176e12f87c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooxr.exe

Filesize
194KB

MD5
34309cf6047e1ab6d5f6c8f62719f7c1

SHA1
cb99b7e07d77ca5ab1f1555216c5c3e496d26f3f

SHA256
8935fc210195304fe7f1797e4a6f4f0b6b98f62b49599549135e1426a1b80762

SHA512
949b4cd7fd0a7c19b3df1efc6f36e6a310accf41d9814df6e2e627d60b08893793978ef8ca535e5a3fc36d0f69c1cbbd50b031ab6ab8ec57d1832b7af4370c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f5a79192fec8fabb47d3a786db680bc2

SHA1
47c28525ff6b8770be8ebfa54eeb6d065c5a97d0

SHA256
680d0c0082a7f80c9c9e9078b8cecff5c32d5822722b1a750d637d4238d2f724

SHA512
09c6565b246ab47d42e57833536bc9c0957e2055256c72e3281c7bef4f78b293849f5be2f325aad61a2c7fd8785670704f3292fcf57bb3324c947eab0b8e271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iznul.exe

Filesize
555KB

MD5
e501bb99377577e07165f93aace3ddef

SHA1
bb289646407eb1131d62d02a55a6841a52773323

SHA256
40f4c25d9d3186b65cc8ca82f61eac1e511c057dfc1a7065a91373289cbe213a

SHA512
19e4fc5697052a0ed5720312f6dbeb967e18027c2abebf65e19d40ea7cb56bcbb16a7861f03a2d0393e841920dadc035dc09c94dd4c510dd6aca91cae45e1284

Download Submit
memory/1312-12-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1312-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1312-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2612-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2612-27-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2612-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2612-30-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2612-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2612-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2612-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2612-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3364-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3364-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads