urelas | 44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c

General

Target

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Size

660KB
MD5

a6266879bf0a44e874cd31d192bdf5f6
SHA1

9de67ceec7bdf912b1d798fbd19420529e379625
SHA256

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c
SHA512

d242b534f687127566973a8cb9357ae906d43f3b03b99e6127bb174ef1a1ad98b496a5a1d6cd3d64d294aad62bdbef7bcb6a3fe4ed1eed1d57342d8bd0b85244
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqL+:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0Y

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

copeu.exe44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	copeu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe

Executes dropped EXE 2 IoCs

Processes:

copeu.exeapluf.exe

pid process

2648 copeu.exe
2748 apluf.exe

pid	process
2648	copeu.exe
2748	apluf.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2996-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\copeu.exe	upx
behavioral2/memory/2648-11-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2996-14-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2648-17-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\apluf.exe	upx
behavioral2/memory/2748-26-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2648-27-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2748-28-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-29-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-30-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-31-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-32-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-33-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-34-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-35-0x0000000000150000-0x000000000020A000-memory.dmp	upx
behavioral2/memory/2748-36-0x0000000000150000-0x000000000020A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.execopeu.execmd.exeapluf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	copeu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apluf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.execopeu.exeapluf.exe

pid	process
2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
2648	copeu.exe
2648	copeu.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe
2748	apluf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.execopeu.exe

description	pid	process	target process
PID 2996 wrote to memory of 2648	2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	copeu.exe
PID 2996 wrote to memory of 2648	2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	copeu.exe
PID 2996 wrote to memory of 2648	2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	copeu.exe
PID 2996 wrote to memory of 3000	2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	cmd.exe
PID 2996 wrote to memory of 3000	2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	cmd.exe
PID 2996 wrote to memory of 3000	2996	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	cmd.exe
PID 2648 wrote to memory of 2748	2648	copeu.exe	apluf.exe
PID 2648 wrote to memory of 2748	2648	copeu.exe	apluf.exe
PID 2648 wrote to memory of 2748	2648	copeu.exe	apluf.exe

C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
"C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\copeu.exe
  "C:\Users\Admin\AppData\Local\Temp\copeu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\apluf.exe
    "C:\Users\Admin\AppData\Local\Temp\apluf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
b23e7f2f3c58c3d21b81b382cba96da4

SHA1
780679cc0d062f165ac6ef06869f105c70675291

SHA256
96d14de4bb9c7ddf259885a0f6d3f22a37c193ed453824e0048d81f5cda23f2d

SHA512
e212967f932797035c0e48efa1d4fb0441304e1f074367ddfd20f2d404224f5729d7fde5feb54076fb1940674c381ed16a89df04bb20d170df2f881b78ec9b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\apluf.exe

Filesize
243KB

MD5
54544fb8dff738cb93350dd8afdf2906

SHA1
807fa9f1effb861ea554bdc06c12cf3d8112f27d

SHA256
f6f20aca7ac72022c2f58c8d82e1b14667d932d988958c7004b78bb1c5bec3e1

SHA512
4c2b900b9a49c728996a3039caaafd29fc40c9fd67f1b52413f69151f6bd2f1ec4ab4716f39d88e179c00bb6a6231e5093556bc3df75c2379e727ab5212a335b

Download Submit
C:\Users\Admin\AppData\Local\Temp\copeu.exe

Filesize
660KB

MD5
f6920ad68d638e3c9b8c89e77b635bf6

SHA1
2806911391f9428266adf384c213fef3ea667fe2

SHA256
c307c352f3b1bef4c16a47145462a4dc9e236f1f35cb421113509cc3e3962880

SHA512
c55d2a79423c618f3f74a4f702672066e0b21c9d383e552d7f3600b598f2fcd0b7d716192fed2856ecffcca76901dee41fe44571453308c82c0d3b7ed8fe515d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
015fb79ef4329e2d7a6b0a1154dcb8e3

SHA1
163260c4c7a4fc2c858444d9c078848beca90867

SHA256
c593af472fb92eef6b1aaf1af708d653687b51a4d5bb7db3b9e2f5f4ce89d8ae

SHA512
82aa2f4727ae30ac84762e07e72473d6a20a2b88e4f2eba030715aa941d7a3a22418dac9837c887aaea06b55fd2ed2585813abe3e776190e78a5c520b1f90154

Download Submit
memory/2648-11-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2648-27-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2648-17-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2748-26-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-28-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-29-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-30-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-31-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-32-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-33-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-34-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-35-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2748-36-0x0000000000150000-0x000000000020A000-memory.dmp

Filesize
744KB

Download
memory/2996-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2996-14-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads