urelas | ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7

General

Target

ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe
Size

535KB
MD5

463b6d7b034ea2b275a7c6bd06b849f2
SHA1

20a60c50e679915ef1415065fa170885ad280ffc
SHA256

ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7
SHA512

a66cc0480363a37815e031a8d7e8e14950a4af6404d3188497e65bfa5d0bf23b5224959ecf1f2b60f8937029bc6778a3e148b7beceddc53e6878cb99859b09b9
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2j:cLjQC+bs0YOj

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2372 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

faxie.exenurux.exe

pid process

2552 faxie.exe
2864 nurux.exe
Loads dropped DLL 2 IoCs

Processes:

ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exefaxie.exe

pid process

2236 ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe
2552 faxie.exe

pid	process
2372	cmd.exe

pid	process
2552	faxie.exe
2864	nurux.exe

pid	process
2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe
2552	faxie.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\faxie.exe	upx
behavioral1/memory/2552-10-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2236-18-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2552-21-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2552-29-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exefaxie.execmd.exenurux.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faxie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nurux.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

nurux.exe

pid	process
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe
2864	nurux.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exefaxie.exe

description	pid	process	target process
PID 2236 wrote to memory of 2552	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	faxie.exe
PID 2236 wrote to memory of 2552	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	faxie.exe
PID 2236 wrote to memory of 2552	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	faxie.exe
PID 2236 wrote to memory of 2552	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	faxie.exe
PID 2236 wrote to memory of 2372	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	cmd.exe
PID 2236 wrote to memory of 2372	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	cmd.exe
PID 2236 wrote to memory of 2372	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	cmd.exe
PID 2236 wrote to memory of 2372	2236	ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe	cmd.exe
PID 2552 wrote to memory of 2864	2552	faxie.exe	nurux.exe
PID 2552 wrote to memory of 2864	2552	faxie.exe	nurux.exe
PID 2552 wrote to memory of 2864	2552	faxie.exe	nurux.exe
PID 2552 wrote to memory of 2864	2552	faxie.exe	nurux.exe

C:\Users\Admin\AppData\Local\Temp\ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe
"C:\Users\Admin\AppData\Local\Temp\ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\faxie.exe
  "C:\Users\Admin\AppData\Local\Temp\faxie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\nurux.exe
    "C:\Users\Admin\AppData\Local\Temp\nurux.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5d1d611f2e99516b48120f013968bd21

SHA1
e7c30d8e16a74713de048450c7d39426d18f1719

SHA256
1b5e039ab657edfa192f288184c24ce70db146845eba235f4c3f5a23aff826f1

SHA512
d52dc9ff76cfce51aef41cceaa6c6e3f687544d215b8e6e51ac88de0946b42225ba74b74984e3463efd8bd8d174abec550815cec45b6407e01592c1a8d41c479

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
664a97be2a8f4eaeb4c5ea4c8cbdc24d

SHA1
f5ee6cbba4926fb6fd1c85999032f1eec39b7c02

SHA256
8ded3fc38fdbbe6cbb8daf36bca82ffd16cc6e9977c05c2ea276f1b6043bc9cd

SHA512
9e534b66c4045d3f7170589ef334252fe2e8c4c74413b0c8b1937c8491f671dc96f5dd1b98fde54679863042ac3a4bf10c92bfcec08ec039035bf7db8b80f0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nurux.exe

Filesize
241KB

MD5
3612e557e4b60497dd742405449471b4

SHA1
3d7f793a97738aa8670cb6172d7630d2d7e2f244

SHA256
e7697c5d6e15ce02dc9fa16198918712df4cc4bdf87147f379e5afce9953efa7

SHA512
fd34d3cbf5bdec8ba16848c783121d27699bfc5d9085ce79011c898984ba4108a867eea4783d4a8b38ff9634b06fb5e6151366353e369696ce2417a7548e2caa

Download Submit
\Users\Admin\AppData\Local\Temp\faxie.exe

Filesize
535KB

MD5
ddf107581883cfccfc44a6a0f3d1914f

SHA1
e4ae30050d15cdb23b555c96abf2bb1f6b524211

SHA256
090281094ccda92d1c49d2ce0b82de83bd6132c385506aecd2772f71181107ec

SHA512
50a293bc1632dd6f19d83fad9a3d27bb3689eb4071e339873249899c2a134fbd46dcf6682aea4ae1a2c725747fbaa9b0fbd3845b2861226c1458a70663e2fefe

Download Submit
memory/2236-8-0x0000000002720000-0x00000000027AB000-memory.dmp

Filesize
556KB

Download
memory/2236-18-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2236-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2552-21-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2552-27-0x0000000003150000-0x0000000003206000-memory.dmp

Filesize
728KB

Download
memory/2552-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2552-10-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2864-30-0x00000000001C0000-0x0000000000276000-memory.dmp

Filesize
728KB

Download
memory/2864-32-0x00000000001C0000-0x0000000000276000-memory.dmp

Filesize
728KB

Download
memory/2864-33-0x00000000001C0000-0x0000000000276000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads