urelas | 7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15

General

Target

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Size

558KB
MD5

65a71e1537c72631e69b404ecde397a2
SHA1

9eb58a825e5e415cdc1b783109e1cf3b91a1e6c6
SHA256

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15
SHA512

67b50dac679ddb6d13b667a5cf19b46d3332c46cbe617a6180b4916692607275bd87f590e878f47137116827b13b7cd7352fc9258e729f3f8998a4eccdc73442
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy4:znPfQp9L3olqF4

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3004 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

pezon.exewulie.exe

pid process

3068 pezon.exe
2792 wulie.exe
Loads dropped DLL 2 IoCs

Processes:

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exepezon.exe

pid process

1988 7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
3068 pezon.exe

pid	process
3004	cmd.exe

pid	process
3068	pezon.exe
2792	wulie.exe

pid	process
1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
3068	pezon.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\pezon.exe	upx
behavioral1/memory/3068-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1988-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3068-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3068-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\pezon.exe	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exepezon.execmd.exewulie.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pezon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wulie.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

wulie.exe

pid	process
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe
2792	wulie.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exepezon.exe

description	pid	process	target process
PID 1988 wrote to memory of 3068	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	pezon.exe
PID 1988 wrote to memory of 3068	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	pezon.exe
PID 1988 wrote to memory of 3068	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	pezon.exe
PID 1988 wrote to memory of 3068	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	pezon.exe
PID 1988 wrote to memory of 3004	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	cmd.exe
PID 1988 wrote to memory of 3004	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	cmd.exe
PID 1988 wrote to memory of 3004	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	cmd.exe
PID 1988 wrote to memory of 3004	1988	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	cmd.exe
PID 3068 wrote to memory of 2792	3068	pezon.exe	wulie.exe
PID 3068 wrote to memory of 2792	3068	pezon.exe	wulie.exe
PID 3068 wrote to memory of 2792	3068	pezon.exe	wulie.exe
PID 3068 wrote to memory of 2792	3068	pezon.exe	wulie.exe

C:\Users\Admin\AppData\Local\Temp\7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
"C:\Users\Admin\AppData\Local\Temp\7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\pezon.exe
  "C:\Users\Admin\AppData\Local\Temp\pezon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\wulie.exe
    "C:\Users\Admin\AppData\Local\Temp\wulie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cf6b9cdbb07d4770f57d7d9a45893b50

SHA1
07c7d7b78fee0e31dc9870c9e8314462d7e2d3bf

SHA256
c21be26ad851861f45cc1e9e4c849a85963be330f04055c4fd4ec12cd173248b

SHA512
2232dd6402a89936d679a9383a71eebe0cbd443c2ca723a8b5809b622442ba9650d1da25f859f655f40e2dcb7461e1add977a608b3e78dd5da531525a577f205

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
53dd7d8dfa9f60b79ca2b2e82309fc3f

SHA1
a8b138aef3f5f7536751f2b6fec1e5bdc826c3b8

SHA256
a7d3f68f3149906a81fd3d07d54da47096df1e79d92dd9b76d3dbe2df2276943

SHA512
95bcde02f9bbf2474c8e55d7630a209e23db72db4ecb89cd0324ebe76e3d1745b06828e95987c981585dcab241434fadde57374fe4a7bcb3d58918acb1059ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pezon.exe

Filesize
558KB

MD5
1dc5955f617b0a9fd5491262f1622b91

SHA1
27b03363f07b3cc379e2f1b80708031cfede2390

SHA256
eeffd1821df590e200725dbf12d8956ad430933b45fdada36a8f4cead3d25360

SHA512
3bb5b5d038b04a294d41c0d92f5e8b3d4c59c4e9158b4d1c3c278a0e3c0266a0b045009a1ec3a97fceb975ba92764395c4cecd7aa836cb5f0eaa01571fa39f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\wulie.exe

Filesize
194KB

MD5
1acb34385e8d5c85fcb5a6787243182c

SHA1
ad17c7ddb41c7f33d57222073d83561b316eb20f

SHA256
60b46b148f4f25d2164b21baac354726e58baf72c479a6afc35dc0b3b40102db

SHA512
a69628f8d022a85f96ecf4a395839d8bbf5016b2e49bda8d8c12c7fe14fe79200feb078545886bcd26fd99b68748afda4a25a3dcdec024bda9d02a83b4e5e1d0

Download Submit
\Users\Admin\AppData\Local\Temp\pezon.exe

Filesize
558KB

MD5
a7a5321fa24f808ac77b1a9692f97424

SHA1
ebd8c3b98bcc27314fed40f18d7c5386f37a87e3

SHA256
3f0a349195b20610e0bdb9727d8358018b965f048572071a8bdb05858f8f305d

SHA512
168ead00ca840e737dd47ea2498a332636d4c45e31ae034f69c9fb6b31987d14d7fb5873d41275ea5d8838479bfc071a9fb8ed5b491e9f4541f1f5571ddbac96

Download Submit
memory/1988-8-0x0000000002650000-0x0000000002706000-memory.dmp

Filesize
728KB

Download
memory/1988-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1988-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2792-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2792-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2792-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2792-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2792-36-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3068-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3068-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3068-26-0x00000000032C0000-0x0000000003354000-memory.dmp

Filesize
592KB

Download
memory/3068-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads