urelas | 7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15

General

Target

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Size

558KB
MD5

65a71e1537c72631e69b404ecde397a2
SHA1

9eb58a825e5e415cdc1b783109e1cf3b91a1e6c6
SHA256

7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15
SHA512

67b50dac679ddb6d13b667a5cf19b46d3332c46cbe617a6180b4916692607275bd87f590e878f47137116827b13b7cd7352fc9258e729f3f8998a4eccdc73442
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy4:znPfQp9L3olqF4

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	xuxac.exe

Executes dropped EXE 2 IoCs

pid	Process
4120	xuxac.exe
4732	muweg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1928-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-6.dat	upx
behavioral2/memory/4120-10-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1928-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4120-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4120-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muweg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuxac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe
4732	muweg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4120	1928	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	84
PID 1928 wrote to memory of 4120	1928	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	84
PID 1928 wrote to memory of 4120	1928	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	84
PID 1928 wrote to memory of 2448	1928	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	86
PID 1928 wrote to memory of 2448	1928	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	86
PID 1928 wrote to memory of 2448	1928	7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe	86
PID 4120 wrote to memory of 4732	4120	xuxac.exe	94
PID 4120 wrote to memory of 4732	4120	xuxac.exe	94
PID 4120 wrote to memory of 4732	4120	xuxac.exe	94

C:\Users\Admin\AppData\Local\Temp\7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe
"C:\Users\Admin\AppData\Local\Temp\7e3e8afd2af3dfbbeed61b25cf3a2d9c696fc4a86b91ac9270f3b63eb281eb15.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\xuxac.exe
  "C:\Users\Admin\AppData\Local\Temp\xuxac.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\muweg.exe
    "C:\Users\Admin\AppData\Local\Temp\muweg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cf6b9cdbb07d4770f57d7d9a45893b50

SHA1
07c7d7b78fee0e31dc9870c9e8314462d7e2d3bf

SHA256
c21be26ad851861f45cc1e9e4c849a85963be330f04055c4fd4ec12cd173248b

SHA512
2232dd6402a89936d679a9383a71eebe0cbd443c2ca723a8b5809b622442ba9650d1da25f859f655f40e2dcb7461e1add977a608b3e78dd5da531525a577f205

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7f91936afc6e6386dd1affac857d49c2

SHA1
0d2acb18d24dafb77157d5acf109aa8786a9bf60

SHA256
0667d21802bc6f85599b0d5be7a37cc011431eda829b428d4f0dc0e4d84ccd4b

SHA512
6e0dd9b94de8a9930b1310cfff8d3343c5259925f6be4728449870699238073f34ea81f65fdf540c0e5edb467c05c3524542880e7a86b0e8477fb0965c2b2750

Download Submit
C:\Users\Admin\AppData\Local\Temp\muweg.exe

Filesize
194KB

MD5
3d5c5d2e82e3c6cc194a02e082cad910

SHA1
1811347f6e7abe6d4a69bd3765449828c3062215

SHA256
268a3e17d6310f902b1c4587f3a34aa55c8a112bbd15d3d9fd201881f1cd1da9

SHA512
d009645d7ce28d7a5bce73693796c908c4df73ddab67ec48a966c35decdfe3b13e597bed5939343e2fb753294dda1beb73bad3185e72183c428d9fe6194b0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuxac.exe

Filesize
558KB

MD5
c50a86b5cf17fd547e7e0ffef1c9fbef

SHA1
7956eca4b97bb1b09c7587a32d70be899965f34c

SHA256
7a659d7181437d3a6192c6354346832145c5417890429667b03a252042fa0781

SHA512
3923b593d2715126c15727cbf6c3cb20da5437e55d636cb3d98b906c8450be839dc784d93109d49209cd2358cdd9cb4b29b58662a07a37dff5173eaec6b9cda2

Download Submit
memory/1928-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1928-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4120-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4120-10-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4120-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4732-28-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4732-27-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4732-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4732-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing