urelas | 47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e

General

Target

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
Size

1.1MB
MD5

899b623b32dbe4c5c0bac890de4575c1
SHA1

6ab746824ee8d9a7cebffeeb9c758b5e61decedd
SHA256

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e
SHA512

81b28bbd10c9db8f966d63f4858fd1585d4e273b87272782dbb5f633646c6e148bf83bcb3e15c70a380b36878be6c4a4e621ea66f214b885f509dcab02c1fc84
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Ym:tcykpY5852j6aJGl5cqBr

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exebizuq.exeozwejo.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	bizuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ozwejo.exe

Executes dropped EXE 3 IoCs

Processes:

bizuq.exeozwejo.exebopol.exe

pid	Process
3980	bizuq.exe
2124	ozwejo.exe
2268	bopol.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0002000000021f4c-31.dat	upx
behavioral2/memory/2268-38-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2268-42-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exebizuq.execmd.exeozwejo.exebopol.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bizuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozwejo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bopol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

bopol.exe

pid	Process
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe
2268	bopol.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exebizuq.exeozwejo.exe

description	pid	Process	procid_target
PID 2524 wrote to memory of 3980	2524	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	83
PID 2524 wrote to memory of 3980	2524	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	83
PID 2524 wrote to memory of 3980	2524	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	83
PID 2524 wrote to memory of 4056	2524	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	84
PID 2524 wrote to memory of 4056	2524	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	84
PID 2524 wrote to memory of 4056	2524	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	84
PID 3980 wrote to memory of 2124	3980	bizuq.exe	86
PID 3980 wrote to memory of 2124	3980	bizuq.exe	86
PID 3980 wrote to memory of 2124	3980	bizuq.exe	86
PID 2124 wrote to memory of 2268	2124	ozwejo.exe	104
PID 2124 wrote to memory of 2268	2124	ozwejo.exe	104
PID 2124 wrote to memory of 2268	2124	ozwejo.exe	104
PID 2124 wrote to memory of 2988	2124	ozwejo.exe	105
PID 2124 wrote to memory of 2988	2124	ozwejo.exe	105
PID 2124 wrote to memory of 2988	2124	ozwejo.exe	105

C:\Users\Admin\AppData\Local\Temp\47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
"C:\Users\Admin\AppData\Local\Temp\47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\bizuq.exe
  "C:\Users\Admin\AppData\Local\Temp\bizuq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\ozwejo.exe
    "C:\Users\Admin\AppData\Local\Temp\ozwejo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\bopol.exe
      "C:\Users\Admin\AppData\Local\Temp\bopol.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
69bca913a36099b890b22ca74464e638

SHA1
5a649116be1d66929ece392ff44fe0e3fdbccb9e

SHA256
6088ad04b2c65dc8d2c851f62add24261a1463b51fafa1c5b9fbe39713249382

SHA512
e2c90a2b036cbb20c037a696f450a49fd02c96eaa0cd0642a24cf63ee3089b61b39105dfd72fabf9fa0b4e076e7cf8716d6f138fb0cd9edf3319858826bcdb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
2a9a08802356c11ee49819ba67f95aed

SHA1
0d0935d68670df96ee56c580b92d793fca5c65d2

SHA256
522a3e73d0056b4799c8f16f95909be4886ba2e5abc0bed6e4c70d521874cd71

SHA512
ba4fb33bdaa1adcac347208188a9e855e8ebd23a8c23a4378f72bfbcbf266229bcea4422b1ce13bf13bc9213ffa882430ebaaca7ea6e0ba91aa9f91abcbbf1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bizuq.exe

Filesize
1.1MB

MD5
cf5f3bb2bd4760402441ba6df5f0422c

SHA1
74161d6aba3154520469bd45a60027fdfd7f3033

SHA256
8b6950d10e007efcba550b16e9669b938077e5c87c8c968a9288beee3968532e

SHA512
6bbb1f400a53e1f93802d799035a9a842bc68be3a82754343314446218515a1aeaaeeb57b299891f6abc69bb550a3d190bcea25f6ce00de794f0fb9222b39921

Download Submit
C:\Users\Admin\AppData\Local\Temp\bopol.exe

Filesize
459KB

MD5
7f8e508708c078e90de02fb4f9c9da4e

SHA1
f7d8122cca1ad060301094380defd3612ab942eb

SHA256
29885feb6d4e96d5c8257cbe31f74df2af68b91cab176027b4a04487b70b8c79

SHA512
bf7bfcf78af73aeb38a1f5734213e3e1640aae547efecac272a2a730d540aa51830e8055c3d8f76cbb1026db79a218601896578356a73d4ceb236ffc081e58ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d42e2e426dbb9d724ee30e4ab0537a33

SHA1
3f98ad08dc2b4625d70980c2e723a0761cf7eac8

SHA256
691b9550132df94b3e92b7958b6d2a634be727e6e6ed38bac34b14740bb78e34

SHA512
6a47955fa1f56840db1d6e6aa0042ce2293c843bcef24c5d29542c27232ac1d53202e7a516cd368fbb2939500b776a71019878133bfe5fd9f8006a5d1a45cfc4

Download Submit
memory/2124-39-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2124-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2268-38-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2268-42-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2524-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2524-15-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3980-24-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads