urelas | 3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127

General

Target

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Size

466KB
MD5

0542083c1a2b3eff0f640709bca31c47
SHA1

58b1f802ece5eab93975a56756c86c8a2ce06b0d
SHA256

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127
SHA512

db3b7fb869264fcb120cd39e562a563e9e762943def5f07b95443b93dce8adb26ab1496824923a6544a8407e6fbbea5cd25fab638dec20086d957297f7fd0e01
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Ui:m6tQCG0UUPzEkTn4AC1+D

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1944 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

qiwea.exesuqow.exe

pid process

2256 qiwea.exe
2264 suqow.exe
Loads dropped DLL 2 IoCs

Processes:

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exeqiwea.exe

pid process

2016 3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
2256 qiwea.exe

pid	process
1944	cmd.exe

pid	process
2256	qiwea.exe
2264	suqow.exe

pid	process
2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
2256	qiwea.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\suqow.exe	upx
behavioral1/memory/2264-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2264-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2264-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2264-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2264-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2264-36-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2264-37-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qiwea.execmd.exesuqow.exe3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiwea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suqow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

suqow.exe

pid	process
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe
2264	suqow.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exeqiwea.exe

description	pid	process	target process
PID 2016 wrote to memory of 2256	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	qiwea.exe
PID 2016 wrote to memory of 2256	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	qiwea.exe
PID 2016 wrote to memory of 2256	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	qiwea.exe
PID 2016 wrote to memory of 2256	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	qiwea.exe
PID 2016 wrote to memory of 1944	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	cmd.exe
PID 2016 wrote to memory of 1944	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	cmd.exe
PID 2016 wrote to memory of 1944	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	cmd.exe
PID 2016 wrote to memory of 1944	2016	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	cmd.exe
PID 2256 wrote to memory of 2264	2256	qiwea.exe	suqow.exe
PID 2256 wrote to memory of 2264	2256	qiwea.exe	suqow.exe
PID 2256 wrote to memory of 2264	2256	qiwea.exe	suqow.exe
PID 2256 wrote to memory of 2264	2256	qiwea.exe	suqow.exe

C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
"C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\qiwea.exe
  "C:\Users\Admin\AppData\Local\Temp\qiwea.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\suqow.exe
    "C:\Users\Admin\AppData\Local\Temp\suqow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
c001961ada7c141204643153156c6c16

SHA1
4276c08e03f962170b20c55a5dc3a21ccedb2efe

SHA256
2c72b51622aedea6c683214d41dd4ab978e8f81c7c8ff6aae0bbeaeb6e128045

SHA512
aa5d9c1292855875486abd83a8ced07d0592bcd68b1501510222e9136717c9606bea0fef86df095105149abe31e1c8a989d78ef8e92d1a1680da4cd5d0d0f61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e5308615860fb3bb817104cfe1aa4ed9

SHA1
f9ed59a68911567ca978530ff2bb56fb22e8879a

SHA256
88f84ce1487c630c0915d782117fd8be5036076d98475c24b9d9d4a14dcb89b2

SHA512
905f3eb771129fd2b26bf0a8eb3ac0ab0d002c917d2c936c1d984b1863f1a21f1429f2d3ee225e1dd9b2f1c5eb25dcb4c20c925aae836177ea3f802741b7272e

Download Submit
\Users\Admin\AppData\Local\Temp\qiwea.exe

Filesize
467KB

MD5
411922650b4746bfd24feded2d766b85

SHA1
c48d45d166e0687580b2ec7520e8833fdf7f8c26

SHA256
0bdcc486a6453a0f0aa41fdbaa939e0c97257ef1cbaae487bfccf8161bc91279

SHA512
59455b252bf1befd3b90ef9187009e5c600244f1454b0a0a58e2e05a4092e8f612ce136493fd16c161bde3e09267615e55ea06f3cebffbfaf90e833f6d8487c3

Download Submit
\Users\Admin\AppData\Local\Temp\suqow.exe

Filesize
198KB

MD5
a2a3c4265a7aca8b836e997c4b3b380f

SHA1
3c1481f1b53b5c8b22c347ccc95aea9f7916e8a9

SHA256
ff0ebe8ad61bca5d443ec1a6b9f8ef255bb469a5c23fa31ae9ad33eaac29015a

SHA512
03958d6ef9eb2c4c7f73c3685e9a13be69cf4837b61112a349f047458db41cfb3fb2fff71bcbfa94bf3d436589b695a804cabe5ef603a9e87aa9d3a7caa3a6a5

Download Submit
memory/2016-0-0x00000000011D0000-0x000000000124C000-memory.dmp

Filesize
496KB

Download
memory/2016-18-0x00000000011D0000-0x000000000124C000-memory.dmp

Filesize
496KB

Download
memory/2016-5-0x0000000000FB0000-0x000000000102C000-memory.dmp

Filesize
496KB

Download
memory/2256-28-0x0000000000A00000-0x0000000000A7C000-memory.dmp

Filesize
496KB

Download
memory/2256-21-0x0000000000A00000-0x0000000000A7C000-memory.dmp

Filesize
496KB

Download
memory/2256-10-0x0000000000A00000-0x0000000000A7C000-memory.dmp

Filesize
496KB

Download
memory/2256-27-0x0000000003160000-0x00000000031FF000-memory.dmp

Filesize
636KB

Download
memory/2264-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2264-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2264-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2264-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2264-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2264-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2264-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads