urelas | fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dc

General

Target

fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
Size

555KB
MD5

0062aab4d5c62d1c665ed73279edcc30
SHA1

4480c29ae577f971d7cf37a1d5ea58da8a796d8a
SHA256

fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dc
SHA512

2f351db9b0cc7a2d77abd2a74e3f90dd8092bcb85250fdcb5ee046f662e50158f28d215b27d6b67ed3b8e4a6c0621e28f7d198dc1285636eb3138988518a7a28
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	miwul.exe

Executes dropped EXE 2 IoCs

pid	Process
4472	miwul.exe
1444	kemel.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3856-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x000d000000023b55-6.dat	upx
behavioral2/memory/3856-13-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4472-16-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4472-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miwul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kemel.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe
1444	kemel.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 4472	3856	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	88
PID 3856 wrote to memory of 4472	3856	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	88
PID 3856 wrote to memory of 4472	3856	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	88
PID 3856 wrote to memory of 2224	3856	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	89
PID 3856 wrote to memory of 2224	3856	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	89
PID 3856 wrote to memory of 2224	3856	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	89
PID 4472 wrote to memory of 1444	4472	miwul.exe	108
PID 4472 wrote to memory of 1444	4472	miwul.exe	108
PID 4472 wrote to memory of 1444	4472	miwul.exe	108

C:\Users\Admin\AppData\Local\Temp\fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
"C:\Users\Admin\AppData\Local\Temp\fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\miwul.exe
  "C:\Users\Admin\AppData\Local\Temp\miwul.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\kemel.exe
    "C:\Users\Admin\AppData\Local\Temp\kemel.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6a9bb1c6572fb3a8465225f6e381fc82

SHA1
48251f6d77802251902351e516f062f092f3f6c1

SHA256
8110d4c41448cc2eaab3faeccbdf66839fdf9328ca28c93e49d35da90fcc8791

SHA512
1bf6e9e9e16e7fd5ed34d21dec3ef9d44f8cc6ba08057f6aeb3a7aa75780b7c8dd089916e3c52af7e3eba39db242cdcc2c8c81e7743228d236051a8ae0744f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c1d1e791ffdd719df92faf9ded5fb9f4

SHA1
8c4fc48622f46e1afe23232cd727f917c2c96a10

SHA256
147fb3b7128ed7f66f50c186eefaaf251e9719b70f6a03d9ccb5e16c1002bf35

SHA512
2222a93987cad07dd5c2e755b2f05cc2bba6189374efd7ee810bb03347fb15e3811e428a7e2274ea2b41572cf1c569f81f57e589ef4729f063f9f60f2e6cd244

Download Submit
C:\Users\Admin\AppData\Local\Temp\kemel.exe

Filesize
194KB

MD5
bbe4e7d1b381fb555f26b914a4f1cb3c

SHA1
5fab683ac07a65bad31e7a1a9730442cb64d9564

SHA256
dc38ad5aaf204184c1c47004682ee30e1ad22ff684e7835255a0551e3c7e6d31

SHA512
033a6e2f76d5cc43ce837483ee0feb55714c592676eea37627744bc2ecb0217dc549245f1fc9676de321e414b679a0cb02b11d958d059009c7b4c1479aa85477

Download Submit
C:\Users\Admin\AppData\Local\Temp\miwul.exe

Filesize
555KB

MD5
0072074bba8f6989d7dbc501e75ec5b2

SHA1
9f9c90e4858ed8c94833949954e5cedc5e179d36

SHA256
4e9f50bd3304f74257793ee7606856306bec732e4f31e0c5e03bb01ecdcc19e3

SHA512
1deef06dc3a81c7ad0b31425fbe618f4fd2a1cf103a5d05b8ab866fc4e7337116d7cd460e995c0bbbdf9babe4e557da91088e4215a530c4169e0083b18d629e5

Download Submit
memory/1444-26-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1444-25-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1444-29-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1444-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1444-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3856-13-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3856-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4472-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4472-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing