urelas | cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b

General

Target

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Size

513KB
MD5

ae2d2d119ec1eeb560351d63f29686a0
SHA1

300bb668d1e576c9afa7526b215c1ec8289f0f48
SHA256

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b
SHA512

1434765eb802c8b48c131a0193bdee4d18f7f3fb64843b0095e1c529fa3d0a76bbba8e2d8b5008cd33c82d16b0c9e30fcaf6cdac88b346a735f1088507925e08
SSDEEP

6144:uqXAoQT5Tr9R0HN/3w36EnCYLTczsMr0jnE/QhyjxJBErrZAWkPW5oeNtLjsOidS:BQRI/3w36EnCYckE/iydJai/WZt3

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	bowom.exe

Executes dropped EXE 2 IoCs

pid	Process
3952	bowom.exe
704	xocua.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000707-22.dat	upx
behavioral2/memory/704-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/704-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/704-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/704-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bowom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xocua.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe
704	xocua.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3952	2764	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	87
PID 2764 wrote to memory of 3952	2764	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	87
PID 2764 wrote to memory of 3952	2764	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	87
PID 2764 wrote to memory of 2012	2764	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	88
PID 2764 wrote to memory of 2012	2764	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	88
PID 2764 wrote to memory of 2012	2764	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	88
PID 3952 wrote to memory of 704	3952	bowom.exe	106
PID 3952 wrote to memory of 704	3952	bowom.exe	106
PID 3952 wrote to memory of 704	3952	bowom.exe	106

C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
"C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\bowom.exe
  "C:\Users\Admin\AppData\Local\Temp\bowom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\xocua.exe
    "C:\Users\Admin\AppData\Local\Temp\xocua.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
97fd8da4f233438ece45b12adab2f24e

SHA1
1b43e532e19cf207d167f13f7584e0756f6cd6f6

SHA256
36003db861c347b93225fc5b0c564db2511bcdd2658f6fdcdc40dacc7a640db7

SHA512
6a3f7a63b59e9e82ace17e6e5c96b945db6910dcb455715aebd867904d7e7ce1e6f18a3e34a5b82c6dbb193b2794528fabf54cf035f8f189049301486029b5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\bowom.exe

Filesize
513KB

MD5
c474dc34b261ce422803b0327c6298ee

SHA1
67cbf920521609bb7c6230509fb0ed145aa64026

SHA256
3a6735abc28257454afa704de100cb2a56cda5651cedf4f053b1124eccd0a0cd

SHA512
0514e4cfa00045609c623b0b383ebd53ca6ab6479158b31a804bf14a0b159fe232c522624d570a23b965acea14edce1c8bbe610732f3520e57d8c7f7cca91c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5db0eb3d1cace680e1de89b01a34aa0b

SHA1
7bc62c24bbe8590e5162afe6d87e9be158b24660

SHA256
4b5cfd6db5f4f973deae414562c6c0826c58a5dfa7d3eeb315d349e83a283140

SHA512
b0c445a9cf01cde2bc424ff7dadd6d93bf988eb0bd91598b6ef05498a16ca80ba5c77a177665a0b6bc2e8c89ced64106195b7c99917ec5b7ea47f46d352d77df

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocua.exe

Filesize
209KB

MD5
d7a8f820f77e492bc67207a594f6efc1

SHA1
403a4e4ac6d2def5d7f8a203e90e792e77d31378

SHA256
181e1963cbf72198d346e079ab1ca0a0f981111e11248ea69a7bd48109450e38

SHA512
d3a42fc1ea3cbd444b26b5f18b0fe2c98b65a2d4d130980f1106885741ab8292ff52383f6466dc991774de7e3feb919fe53c2a47df68dcdc9788dab0e802185e

Download Submit
memory/704-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/704-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/704-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/704-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2764-14-0x00000000009A0000-0x0000000000A27000-memory.dmp

Filesize
540KB

Download
memory/2764-0-0x00000000009A0000-0x0000000000A27000-memory.dmp

Filesize
540KB

Download
memory/3952-17-0x00000000006E0000-0x0000000000767000-memory.dmp

Filesize
540KB

Download
memory/3952-27-0x00000000006E0000-0x0000000000767000-memory.dmp

Filesize
540KB

Download
memory/3952-9-0x00000000006E0000-0x0000000000767000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing