urelas | 7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074f

General

Target

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
Size

660KB
MD5

fa22a94cf15e0f978ab5f354af7b28c0
SHA1

75997c17a503e2a2f48f5d81a7f561a7d90fe7c9
SHA256

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074f
SHA512

0a8f9f498babb7ac26455b8e8c0d9e286b7977c35e436de6ebbf0bdc9318f576f432ab404a59e11dd6b1629baaed0fcd46811da27706ab51d73016f8afb907cd
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqLO:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0Y

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exewokua.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wokua.exe

Executes dropped EXE 2 IoCs

Processes:

wokua.exefuvao.exe

pid process

2616 wokua.exe
2204 fuvao.exe

pid	process
2616	wokua.exe
2204	fuvao.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2068-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\wokua.exe	upx
behavioral2/memory/2068-13-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2616-16-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\fuvao.exe	upx
behavioral2/memory/2204-25-0x0000000000490000-0x000000000054A000-memory.dmp	upx
behavioral2/memory/2616-26-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2204-27-0x0000000000490000-0x000000000054A000-memory.dmp	upx
behavioral2/memory/2204-28-0x0000000000490000-0x000000000054A000-memory.dmp	upx
behavioral2/memory/2204-29-0x0000000000490000-0x000000000054A000-memory.dmp	upx
behavioral2/memory/2204-30-0x0000000000490000-0x000000000054A000-memory.dmp	upx
behavioral2/memory/2204-31-0x0000000000490000-0x000000000054A000-memory.dmp	upx
behavioral2/memory/2204-32-0x0000000000490000-0x000000000054A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exefuvao.exe7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exewokua.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuvao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wokua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exewokua.exefuvao.exe

pid	process
2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
2616	wokua.exe
2616	wokua.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe
2204	fuvao.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exewokua.exe

description	pid	process	target process
PID 2068 wrote to memory of 2616	2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	wokua.exe
PID 2068 wrote to memory of 2616	2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	wokua.exe
PID 2068 wrote to memory of 2616	2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	wokua.exe
PID 2068 wrote to memory of 2244	2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2068 wrote to memory of 2244	2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2068 wrote to memory of 2244	2068	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2616 wrote to memory of 2204	2616	wokua.exe	fuvao.exe
PID 2616 wrote to memory of 2204	2616	wokua.exe	fuvao.exe
PID 2616 wrote to memory of 2204	2616	wokua.exe	fuvao.exe

C:\Users\Admin\AppData\Local\Temp\7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
"C:\Users\Admin\AppData\Local\Temp\7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\wokua.exe
  "C:\Users\Admin\AppData\Local\Temp\wokua.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\fuvao.exe
    "C:\Users\Admin\AppData\Local\Temp\fuvao.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
343B

MD5
f46847abee1e922e6e3891fed2523c49

SHA1
92e963e39c22d1e9025dd4e083605fe7656a9a05

SHA256
a5e75557e8eb4c098e7100d141c75186dc3be071245f2eaed23b17e7b8c72d30

SHA512
c4acd3e822197402611464b7a4cdece51716c1805e2f291701a0028553c472b2f30400b11b998497253ebc13ada4c9991d40e50f69f6674c8d2f30d0f207313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuvao.exe

Filesize
243KB

MD5
204db992080e8ce94281b82b3993f5f9

SHA1
36609c7baa63430ab58aab4f093d3b763d776190

SHA256
a926e971edf814158552ffa91d812806dec63b896e10daf0f193e11e403d8228

SHA512
d3572c10e90e61e112ec06a2870b49517e2a0724f4d8d12e79f59175e1052ec9db3a8bd5256e1f1d0e2466a82b41d85e72cb930469107de991619179faa9dcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
83a4ad5cdba3618f9a1bfd2488aedcef

SHA1
600896f2124c8ec245b2fa4272383dc7e086d8fb

SHA256
138d508e55b2c5316429d5c131ce107472dd82bb097b87324bf18d4396e0e055

SHA512
e14b8507a6641e7b32071a9aac7dc99e9c4ab1ad339cb6995e20d255cb0f7e6e8315bd8cd12b8696d8d008682087c964f5c0730a124ec57744023a13f5e094a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wokua.exe

Filesize
660KB

MD5
da11f1a31c8cb481d435ccca0512de60

SHA1
564d93f15cb086da8945db3a7c05b1d911c77bb0

SHA256
142fbd309d9db9907afa887d80a8b0b74def8fd89044855d7b968211a783c645

SHA512
71bbe143b40dee6e0fb99e83c3cbff0fbc2bf3ca04f8715b3c2ee682d94a2f0cf5b9e1ddc8ab08042afd6d5f2bd95d2047bd851f5e0fa6dba1b87de1e47fb825

Download Submit
memory/2068-13-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2068-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2204-31-0x0000000000490000-0x000000000054A000-memory.dmp

Filesize
744KB

Download
memory/2204-25-0x0000000000490000-0x000000000054A000-memory.dmp

Filesize
744KB

Download
memory/2204-32-0x0000000000490000-0x000000000054A000-memory.dmp

Filesize
744KB

Download
memory/2204-27-0x0000000000490000-0x000000000054A000-memory.dmp

Filesize
744KB

Download
memory/2204-28-0x0000000000490000-0x000000000054A000-memory.dmp

Filesize
744KB

Download
memory/2204-29-0x0000000000490000-0x000000000054A000-memory.dmp

Filesize
744KB

Download
memory/2204-30-0x0000000000490000-0x000000000054A000-memory.dmp

Filesize
744KB

Download
memory/2616-16-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2616-26-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads