urelas | 802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55d

General

Target

802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe
Size

6.5MB
MD5

e03a014cec32aa4a5a967a48757bd7f0
SHA1

d110e0a0be92870e136099cffce6a86e13a46dc4
SHA256

802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55d
SHA512

1b80832fcf5eb2f7b65df0bd21ecc6416130238e3036d40cb88757db2f48f445dd7b73b4f48b2a7d1302448f67d8659fc6fa81728a4fcb0602ccfa014c16f1f0
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS7:i0LrA2kHKQHNk3og9unipQyOaO7

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2252 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

uwles.exeycubop.exeqoivy.exe

pid process

3060 uwles.exe
2984 ycubop.exe
1356 qoivy.exe

pid	process
2252	cmd.exe

pid	process
3060	uwles.exe
2984	ycubop.exe
1356	qoivy.exe

Loads dropped DLL 5 IoCs

Processes:

802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exeuwles.exeycubop.exe

pid	process
2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe
2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe
3060	uwles.exe
3060	uwles.exe
2984	ycubop.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\qoivy.exe	upx
behavioral1/memory/2984-161-0x0000000004550000-0x00000000046E9000-memory.dmp	upx
behavioral1/memory/1356-172-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1356-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.execmd.exeuwles.exeycubop.exeqoivy.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uwles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycubop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoivy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exeuwles.exeycubop.exeqoivy.exe

pid	process
2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe
3060	uwles.exe
2984	ycubop.exe
1356	qoivy.exe
1356	qoivy.exe
1356	qoivy.exe
1356	qoivy.exe
1356	qoivy.exe
1356	qoivy.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exeuwles.exeycubop.exe

description	pid	process	target process
PID 2116 wrote to memory of 3060	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	uwles.exe
PID 2116 wrote to memory of 3060	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	uwles.exe
PID 2116 wrote to memory of 3060	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	uwles.exe
PID 2116 wrote to memory of 3060	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	uwles.exe
PID 2116 wrote to memory of 2252	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	cmd.exe
PID 2116 wrote to memory of 2252	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	cmd.exe
PID 2116 wrote to memory of 2252	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	cmd.exe
PID 2116 wrote to memory of 2252	2116	802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe	cmd.exe
PID 3060 wrote to memory of 2984	3060	uwles.exe	ycubop.exe
PID 3060 wrote to memory of 2984	3060	uwles.exe	ycubop.exe
PID 3060 wrote to memory of 2984	3060	uwles.exe	ycubop.exe
PID 3060 wrote to memory of 2984	3060	uwles.exe	ycubop.exe
PID 2984 wrote to memory of 1356	2984	ycubop.exe	qoivy.exe
PID 2984 wrote to memory of 1356	2984	ycubop.exe	qoivy.exe
PID 2984 wrote to memory of 1356	2984	ycubop.exe	qoivy.exe
PID 2984 wrote to memory of 1356	2984	ycubop.exe	qoivy.exe
PID 2984 wrote to memory of 2300	2984	ycubop.exe	cmd.exe
PID 2984 wrote to memory of 2300	2984	ycubop.exe	cmd.exe
PID 2984 wrote to memory of 2300	2984	ycubop.exe	cmd.exe
PID 2984 wrote to memory of 2300	2984	ycubop.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe
"C:\Users\Admin\AppData\Local\Temp\802f50b26dad5447e397c69660a344293327d0546e5e98ab865e2313a11aa55dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\uwles.exe
  "C:\Users\Admin\AppData\Local\Temp\uwles.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\ycubop.exe
    "C:\Users\Admin\AppData\Local\Temp\ycubop.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\qoivy.exe
      "C:\Users\Admin\AppData\Local\Temp\qoivy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
acb1ea18e96606eb17a5777a70203fc0

SHA1
4c9446e6dbf32ff51029984b73e86cb9b5417383

SHA256
ba20432df3f75152c1995be8699a64dbdef1f5c22fec48215d2c45b7e58bf8de

SHA512
657caf238c7244d4f18efb9a2ced6985d653e297c462f71f84dfac5bbe9782c400c91c3a8f53db48b7368ca4badbb84e07afcb42ba97ad6b11706ed35bc30861

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
cd4202ade2ccb489b356530834387f55

SHA1
10565aefb417f8ac09f35a9ec859022b53bafe7c

SHA256
3ddd97a9a1058d742661059e3db4408e60e2c22fdcf3c63686953ac60c1e59b4

SHA512
3b263006c5de198fd66cf33101d707e9635a4ba8f903a12660b507b619390053a7733f64ff27b90059579afb9aa554cacab522d5dc8c999c82951bc1f6a333ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b266def085f2a9d0212b56a1b3603da6

SHA1
98250d977c7dbf89d79d3879d840f904288d2ac9

SHA256
9321b3321780709b3e45d04b94c1e9fa78794c94fb5a6f8db137168bef4f2b8c

SHA512
0adb46e859a8822b74bef8ddd29b77e4708d4ba4a80fb387b81f93d1b7158e8a9320a75ba62c1a8656a8db8ab868ac719bb1b9dce9557e6f4cca93b7ef3aad9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwles.exe

Filesize
6.5MB

MD5
0e4c31757f48862dad1e12865fa141c1

SHA1
92b59afd9727c7d64c08c8750eda5698e94a06dd

SHA256
ad61c48c875c7f7ce956d8fbad5b0e255b1c50ff2294469e69f025487a19b54d

SHA512
70d9837c664934eabfbb06d9dd66fa65dd5cf6d42a90873daa88297b53cc0ce78226be93aa0702a112ecd69a82f81724ff6d3cfc2c500ac0957f29f9c54355e6

Download Submit
\Users\Admin\AppData\Local\Temp\qoivy.exe

Filesize
459KB

MD5
40f8e0f8ef43d316c0e426feeae23a30

SHA1
7b98b19889ad5044634fc47fcbb70e1c28e45a88

SHA256
23a4ab65833cf86ea381f5ba4d3a2368137525f4ff202080dbc01259867fc5b6

SHA512
7d7e7d522916eaee690af282ce6cabd6ad7ab62d7f5e8d9f7ff1ba79e276962a52d150461498a2e2f0c08426629f74806b306fc3adde1dab58c63899ca42dfd2

Download Submit
memory/1356-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1356-172-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2116-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2116-24-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2116-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2116-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2116-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2116-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2116-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2116-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2116-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2116-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2116-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2116-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2116-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2116-22-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2116-54-0x0000000003C40000-0x000000000472C000-memory.dmp

Filesize
10.9MB

Download
memory/2116-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2116-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2116-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2116-60-0x0000000003C40000-0x000000000472C000-memory.dmp

Filesize
10.9MB

Download
memory/2116-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2116-29-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2116-36-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2116-34-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2116-31-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2116-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2984-155-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2984-161-0x0000000004550000-0x00000000046E9000-memory.dmp

Filesize
1.6MB

Download
memory/2984-174-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3060-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3060-115-0x0000000003CE0000-0x00000000047CC000-memory.dmp

Filesize
10.9MB

Download
memory/3060-106-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3060-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3060-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads