urelas | 7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15

General

Target

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Size

558KB
MD5

65a71e1537c72631e69b404ecde397a2
SHA1

9eb58a825e5e415cdc1b783109e1cf3b91a1e6c6
SHA256

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15
SHA512

67b50dac679ddb6d13b667a5cf19b46d3332c46cbe617a6180b4916692607275bd87f590e878f47137116827b13b7cd7352fc9258e729f3f8998a4eccdc73442
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy4:znPfQp9L3olqF4

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exefavyb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	favyb.exe

Executes dropped EXE 2 IoCs

Processes:

favyb.exekuduh.exe

pid process

3632 favyb.exe
900 kuduh.exe

pid	process
3632	favyb.exe
900	kuduh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1352-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\favyb.exe	upx
behavioral2/memory/3632-10-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1352-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3632-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3632-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exefavyb.execmd.exekuduh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	favyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuduh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kuduh.exe

pid	process
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe
900	kuduh.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exefavyb.exe

description	pid	process	target process
PID 1352 wrote to memory of 3632	1352	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	favyb.exe
PID 1352 wrote to memory of 3632	1352	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	favyb.exe
PID 1352 wrote to memory of 3632	1352	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	favyb.exe
PID 1352 wrote to memory of 4944	1352	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	cmd.exe
PID 1352 wrote to memory of 4944	1352	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	cmd.exe
PID 1352 wrote to memory of 4944	1352	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	cmd.exe
PID 3632 wrote to memory of 900	3632	favyb.exe	kuduh.exe
PID 3632 wrote to memory of 900	3632	favyb.exe	kuduh.exe
PID 3632 wrote to memory of 900	3632	favyb.exe	kuduh.exe

C:\Users\Admin\AppData\Local\Temp\7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
"C:\Users\Admin\AppData\Local\Temp\7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\favyb.exe
  "C:\Users\Admin\AppData\Local\Temp\favyb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\kuduh.exe
    "C:\Users\Admin\AppData\Local\Temp\kuduh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cf6b9cdbb07d4770f57d7d9a45893b50

SHA1
07c7d7b78fee0e31dc9870c9e8314462d7e2d3bf

SHA256
c21be26ad851861f45cc1e9e4c849a85963be330f04055c4fd4ec12cd173248b

SHA512
2232dd6402a89936d679a9383a71eebe0cbd443c2ca723a8b5809b622442ba9650d1da25f859f655f40e2dcb7461e1add977a608b3e78dd5da531525a577f205

Download Submit
C:\Users\Admin\AppData\Local\Temp\favyb.exe

Filesize
558KB

MD5
06f4a45520fcf9511755cfb47ebd7116

SHA1
0e3adc2ba16b1eccd1149fe426fcd73ce030963a

SHA256
7b046cddc29d6cd78af7a1e97953d2ff8171f5bc0e9da7496ce6cad3200d2b4f

SHA512
6f1f1648fd99ea8b86723735032befaa6ee24028adb770d7be614bc44875884f47f24e1d39fbc2f92c7753c2352131167bd87ef909904167d6450ef9345c6c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
66526bc01be3319388a50aa99fa46cfa

SHA1
a018fd94f5e7883198688483a3f8d595535ff62f

SHA256
ec8099c126feddf351747558110b3b832831ab69790f69315f99a1275bb52dab

SHA512
d64efce169bdbef04d03728c3efdb8b6d03983c7cc255da15fc09a52ede16191193b3feef72c6e26ba033937159027ea898b25753712aadc17399ee7585f5466

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuduh.exe

Filesize
194KB

MD5
72ce34fb6b51b46e943ec36aac71083b

SHA1
c2586f3fc7cabedccc37477eb5c3e2438058267d

SHA256
be4ddef9d56b50bd47b7a8a4dbffab7d892e451420d826dbf93b9fad4253994e

SHA512
7b01940a60f748a6e9adeb424e547d91e61d76575c72f20d0be96c087637f97a8d2f78f1ba53fab9aefe28b2caf85685178fd7369e40c21a8f1ef6ffa3cbcccc

Download Submit
memory/900-27-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/900-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/900-30-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/900-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/900-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/900-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/900-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/900-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1352-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1352-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3632-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3632-10-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3632-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads