urelas | 3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127

General

Target

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Size

466KB
MD5

0542083c1a2b3eff0f640709bca31c47
SHA1

58b1f802ece5eab93975a56756c86c8a2ce06b0d
SHA256

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127
SHA512

db3b7fb869264fcb120cd39e562a563e9e762943def5f07b95443b93dce8adb26ab1496824923a6544a8407e6fbbea5cd25fab638dec20086d957297f7fd0e01
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Ui:m6tQCG0UUPzEkTn4AC1+D

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	jyqof.exe

Executes dropped EXE 2 IoCs

pid	Process
1228	jyqof.exe
2752	nowue.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000707-22.dat	upx
behavioral2/memory/2752-26-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2752-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2752-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2752-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nowue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyqof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe
2752	nowue.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1228	1488	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	85
PID 1488 wrote to memory of 1228	1488	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	85
PID 1488 wrote to memory of 1228	1488	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	85
PID 1488 wrote to memory of 2592	1488	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	86
PID 1488 wrote to memory of 2592	1488	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	86
PID 1488 wrote to memory of 2592	1488	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	86
PID 1228 wrote to memory of 2752	1228	jyqof.exe	101
PID 1228 wrote to memory of 2752	1228	jyqof.exe	101
PID 1228 wrote to memory of 2752	1228	jyqof.exe	101

C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
"C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\jyqof.exe
  "C:\Users\Admin\AppData\Local\Temp\jyqof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\nowue.exe
    "C:\Users\Admin\AppData\Local\Temp\nowue.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
c001961ada7c141204643153156c6c16

SHA1
4276c08e03f962170b20c55a5dc3a21ccedb2efe

SHA256
2c72b51622aedea6c683214d41dd4ab978e8f81c7c8ff6aae0bbeaeb6e128045

SHA512
aa5d9c1292855875486abd83a8ced07d0592bcd68b1501510222e9136717c9606bea0fef86df095105149abe31e1c8a989d78ef8e92d1a1680da4cd5d0d0f61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
13abb620869c44e353d7792b493a9344

SHA1
ea7186335cac9383c2d677f19f895e8a8ee44657

SHA256
6f4cbff1b8433e56913f4d260c164bf1b5bb94814af9cf580b669fcd1f14c3b7

SHA512
88766135e269b0dd4db2fbd6bb5d607e2394ab281dee29210186d7d38f45700a5013272d1804b352e84cf55afc5bd4939b6ed74daa6f6d5ee7dbd8ef64682855

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyqof.exe

Filesize
467KB

MD5
671888715f459c9ea10e811769198725

SHA1
2f5320ca6650df091c70c32f18528d7d6cc69537

SHA256
cd86167b0fc910b2bcbe21d1f960723d0c42a118da22c58ba862972f1cb2808d

SHA512
6365f0f7b87ea0a5c77b1428f61acd24049acfd74fe19099db971b6da7c1f75c46bff30b9ce9bf9a97e0330bbc4f7e3664e578bf10c47765642c128e2f6e2315

Download Submit
C:\Users\Admin\AppData\Local\Temp\nowue.exe

Filesize
198KB

MD5
a91d5bcade09d07980b41f7af59cedeb

SHA1
ef15c5321e1d49a2c84d51dee3a178dc1a2bb8c7

SHA256
917ae72c292a2d7cc384c18845f4bbcc375b16b4340dbde1c04f3b7f42aeb90d

SHA512
ea22cb1c742f6c4cfd816f7542bd32884cc82de6fb87e9caf0ffc2fb92594cf959116ea1510e9d5581c4a1f037a30da797b70549d2f05c62fed4839a50c2d4f9

Download Submit
memory/1228-27-0x00000000001F0000-0x000000000026C000-memory.dmp

Filesize
496KB

Download
memory/1228-17-0x00000000001F0000-0x000000000026C000-memory.dmp

Filesize
496KB

Download
memory/1228-10-0x00000000001F0000-0x000000000026C000-memory.dmp

Filesize
496KB

Download
memory/1488-14-0x0000000000DA0000-0x0000000000E1C000-memory.dmp

Filesize
496KB

Download
memory/1488-0-0x0000000000DA0000-0x0000000000E1C000-memory.dmp

Filesize
496KB

Download
memory/2752-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2752-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2752-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2752-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing