urelas | cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b

General

Target

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Size

513KB
MD5

ae2d2d119ec1eeb560351d63f29686a0
SHA1

300bb668d1e576c9afa7526b215c1ec8289f0f48
SHA256

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b
SHA512

1434765eb802c8b48c131a0193bdee4d18f7f3fb64843b0095e1c529fa3d0a76bbba8e2d8b5008cd33c82d16b0c9e30fcaf6cdac88b346a735f1088507925e08
SSDEEP

6144:uqXAoQT5Tr9R0HN/3w36EnCYLTczsMr0jnE/QhyjxJBErrZAWkPW5oeNtLjsOidS:BQRI/3w36EnCYckE/iydJai/WZt3

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	puyjt.exe
2864	efpyj.exe

Loads dropped DLL 2 IoCs

pid	Process
800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
3012	puyjt.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000004ed7-23.dat	upx
behavioral1/memory/2864-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2864-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2864-32-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2864-33-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efpyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puyjt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe
2864	efpyj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 3012	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	28
PID 800 wrote to memory of 3012	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	28
PID 800 wrote to memory of 3012	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	28
PID 800 wrote to memory of 3012	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	28
PID 800 wrote to memory of 2760	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	29
PID 800 wrote to memory of 2760	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	29
PID 800 wrote to memory of 2760	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	29
PID 800 wrote to memory of 2760	800	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	29
PID 3012 wrote to memory of 2864	3012	puyjt.exe	33
PID 3012 wrote to memory of 2864	3012	puyjt.exe	33
PID 3012 wrote to memory of 2864	3012	puyjt.exe	33
PID 3012 wrote to memory of 2864	3012	puyjt.exe	33

C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
"C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\puyjt.exe
  "C:\Users\Admin\AppData\Local\Temp\puyjt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\efpyj.exe
    "C:\Users\Admin\AppData\Local\Temp\efpyj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
97fd8da4f233438ece45b12adab2f24e

SHA1
1b43e532e19cf207d167f13f7584e0756f6cd6f6

SHA256
36003db861c347b93225fc5b0c564db2511bcdd2658f6fdcdc40dacc7a640db7

SHA512
6a3f7a63b59e9e82ace17e6e5c96b945db6910dcb455715aebd867904d7e7ce1e6f18a3e34a5b82c6dbb193b2794528fabf54cf035f8f189049301486029b5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
38c556250a995f6c3ca3ea4a07476fbc

SHA1
e66f21634b3d5754ceedd35a7fa709e2ab699df8

SHA256
3be9b990db9b8f92e33fc289c9f4c6c02af276d25e039c53594712b8bd956e5f

SHA512
54dc49162c416ab2187a315d5161f42c33731d7e12df277b5cc1b2673e190810efadc6e78697b546876fd4c542c79e4f95a210bd73c2d82a11d4f8e1647bd570

Download Submit
\Users\Admin\AppData\Local\Temp\efpyj.exe

Filesize
209KB

MD5
a24fc0ac65f8f99335bedb51d35d426b

SHA1
01cc9bc2762933201fe467511e044f14dc0a970f

SHA256
e4b0f4a109e5ef098e91f4d7c51d78cb11ecc5afd58a0a541d93f005ef15df65

SHA512
75f89a9afe126a4de4f545a6c8a2ebf603246f4364d3de2f131991019062e176a718217d1d7362889db0018832592fe10d349951fde276b5fb5a840a85a48ae6

Download Submit
\Users\Admin\AppData\Local\Temp\puyjt.exe

Filesize
513KB

MD5
9364de9e11f2ca06927df38d718a75ca

SHA1
c48de7f3ee2bd0cf1fa1c6ca4b87d18925e12876

SHA256
aaea562b07ccffc2bb1bfd3e84a49cee7c9b37879f3905aa6c2dc37be6c91154

SHA512
d87fe0624a86c7cadade10ddbebc153b7f592c1536aba6775d8a0186ff067fb0347b5088dca509ab904f5cbe9294a4579eb6c8e17e5a4bd442dbb945b12f6a14

Download Submit
memory/800-8-0x0000000001F60000-0x0000000001FE7000-memory.dmp

Filesize
540KB

Download
memory/800-17-0x0000000000310000-0x0000000000397000-memory.dmp

Filesize
540KB

Download
memory/800-0-0x0000000000310000-0x0000000000397000-memory.dmp

Filesize
540KB

Download
memory/2864-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2864-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2864-33-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2864-32-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3012-20-0x0000000000B70000-0x0000000000BF7000-memory.dmp

Filesize
540KB

Download
memory/3012-26-0x0000000002C80000-0x0000000002D36000-memory.dmp

Filesize
728KB

Download
memory/3012-28-0x0000000000B70000-0x0000000000BF7000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing