urelas | d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3

General

Target

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
Size

6.5MB
MD5

106e3af15846334c1edb74dd2ffc3391
SHA1

5bf4021ee7e67ad451fca8881c8aed3a2d9ec819
SHA256

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3
SHA512

d1a9780c55d37a2f0294a49df526cb691083f9721e4ea2bee38b552990d8a096b83b477f185066d197db8781d925e19e0445870be1df1de89cfc3f1a55a2d3c0
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS8u:i0LrA2kHKQHNk3og9unipQyOaOt

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.execygeb.exezycuri.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cygeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	zycuri.exe

Executes dropped EXE 3 IoCs

Processes:

cygeb.exezycuri.exeumukb.exe

pid	Process
4480	cygeb.exe
3112	zycuri.exe
4228	umukb.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0003000000000709-65.dat	upx
behavioral2/memory/4228-72-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4228-77-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exed9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.execygeb.execmd.exezycuri.exeumukb.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cygeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zycuri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umukb.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.execygeb.exezycuri.exeumukb.exe

pid	Process
3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
4480	cygeb.exe
4480	cygeb.exe
3112	zycuri.exe
3112	zycuri.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe
4228	umukb.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.execygeb.exezycuri.exe

description	pid	Process	procid_target
PID 3832 wrote to memory of 4480	3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	85
PID 3832 wrote to memory of 4480	3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	85
PID 3832 wrote to memory of 4480	3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	85
PID 3832 wrote to memory of 4524	3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	86
PID 3832 wrote to memory of 4524	3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	86
PID 3832 wrote to memory of 4524	3832	d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe	86
PID 4480 wrote to memory of 3112	4480	cygeb.exe	89
PID 4480 wrote to memory of 3112	4480	cygeb.exe	89
PID 4480 wrote to memory of 3112	4480	cygeb.exe	89
PID 3112 wrote to memory of 4228	3112	zycuri.exe	105
PID 3112 wrote to memory of 4228	3112	zycuri.exe	105
PID 3112 wrote to memory of 4228	3112	zycuri.exe	105
PID 3112 wrote to memory of 4256	3112	zycuri.exe	106
PID 3112 wrote to memory of 4256	3112	zycuri.exe	106
PID 3112 wrote to memory of 4256	3112	zycuri.exe	106

C:\Users\Admin\AppData\Local\Temp\d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe
"C:\Users\Admin\AppData\Local\Temp\d9aa45ec3427a6e6c708173a154f54c59fc97f5deff7f3e8ea02ea848f4efab3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\cygeb.exe
  "C:\Users\Admin\AppData\Local\Temp\cygeb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\zycuri.exe
    "C:\Users\Admin\AppData\Local\Temp\zycuri.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\umukb.exe
      "C:\Users\Admin\AppData\Local\Temp\umukb.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
76225f238e082bd9dcf9d9a50cc1a808

SHA1
bd8b0d57c3c90a2de27e0406b7e676334bc264a0

SHA256
893c863424d49dda14f378e00b709533b95b4713b288834b25a98a7e36b1766c

SHA512
bd912e94168a9e8ec54eab0dd279413877deb5a0c7050a25cf98f4e93d77feabbaf3f659f701ff90d188a9746e3356bec0dc2975a6f6225684c66460300fa7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
2179e03e2b7dc6367d2ce5113a197399

SHA1
9fa5b7feee4d01e89fb650d6b8b72f8947a7c331

SHA256
3d34270a71ba2a5fb3067d3c0afc7648dfd781c695969d53875ea7a437fb1142

SHA512
f185bb0cd19abd34a2ce0278694a885c38e40502ecf2b81c2812320fcd767d788241ed463b25536e142cf9117d1123ce6c9164f6be79d7bb98f0e666417705b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cygeb.exe

Filesize
6.5MB

MD5
991b5d4285c6831e2abb1129f0b483ca

SHA1
4a278940a251acfd8db5f2a498e4e348340f0a0a

SHA256
96208dad49aafaf0b9b4cb4bfc53a9fb33549f47255cb7fc40aa1a534e658f20

SHA512
b61ca8c4d580f96e7beed4775973a9e0c7ed5593ef287c79e6f3a11256b799784cf777f82dc10145a1041390c4e2e79168c321c3196564f0fd6832d2f714b468

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cf607a268a42f6b80d86f2cc61d0636d

SHA1
861d031184a96c302eec37021c43e3c480d6bfe6

SHA256
172d408e9ea026873b74b03faeba4590200a247099e6e5579536fca50a9d8140

SHA512
f6f63d87111d7375867aa935797b1e1bd82004268f767ee145224435415f8c2736a843147f8763a7a3ea60e7dc59c9405f3c6a837ff68691f9356f00cab7c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\umukb.exe

Filesize
459KB

MD5
c8c91f52bc6efa3053a4cc38968eaaa9

SHA1
73cc267af88d2ccd671f33222ef388c0652b45a8

SHA256
7f421e729f9cd56bdd17b407854ea42d65628dad35e80eaf5eba1aead7b2f771

SHA512
d82fb8ef62abbb27f2c995621815b64b54ba1057f7f21ec7848132c4d5aeb0d763743740ac2a1c715ffcdbd0d8c557bbae2701d0a7dfd91bb5e2f57c65c51034

Download Submit
memory/3112-52-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3112-51-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/3112-50-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3112-53-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3112-54-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3112-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3112-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3112-56-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3112-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3112-73-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3832-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3832-7-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/3832-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3832-3-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/3832-2-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3832-8-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/3832-1-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3832-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3832-6-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3832-5-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3832-4-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3832-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3832-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4228-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4228-77-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4480-28-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/4480-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4480-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4480-34-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/4480-33-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/4480-32-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4480-29-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4480-30-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4480-31-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/4480-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4480-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads