urelas | f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5

General

Target

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
Size

324KB
MD5

7c4be427fb9c0b704fc7836a0262b34c
SHA1

6d0aa5c39503a36d9f9e601c2614ace4aa6b169c
SHA256

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5
SHA512

8b6b78e1c78ac404ce18564d8c7c4b76b16915bce699567e002153201e649772baf8a3cd5e4ba5bf39a920ca778b3cd528ec91dd1c24db049e762664f0bb43d1
SSDEEP

6144:bNEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSxP:bNEo/6YnZVB1rkAqcNAzQCed7J1oSx

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gyzei.exef5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	gyzei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe

Executes dropped EXE 2 IoCs

Processes:

gyzei.exeazwyk.exe

pid process

1264 gyzei.exe
4204 azwyk.exe

pid	process
1264	gyzei.exe
4204	azwyk.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1876-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\gyzei.exe	upx
behavioral2/memory/1876-14-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1264-17-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1264-35-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exegyzei.execmd.exeazwyk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyzei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azwyk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

azwyk.exe

pid	process
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe
4204	azwyk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exegyzei.exe

description	pid	process	target process
PID 1876 wrote to memory of 1264	1876	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	gyzei.exe
PID 1876 wrote to memory of 1264	1876	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	gyzei.exe
PID 1876 wrote to memory of 1264	1876	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	gyzei.exe
PID 1876 wrote to memory of 3892	1876	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 1876 wrote to memory of 3892	1876	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 1876 wrote to memory of 3892	1876	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 1264 wrote to memory of 4204	1264	gyzei.exe	azwyk.exe
PID 1264 wrote to memory of 4204	1264	gyzei.exe	azwyk.exe
PID 1264 wrote to memory of 4204	1264	gyzei.exe	azwyk.exe

C:\Users\Admin\AppData\Local\Temp\f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
"C:\Users\Admin\AppData\Local\Temp\f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\gyzei.exe
  "C:\Users\Admin\AppData\Local\Temp\gyzei.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\azwyk.exe
    "C:\Users\Admin\AppData\Local\Temp\azwyk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5c7b95813b0009e4849f172569ed117e

SHA1
10980ae3b2453ee58a5191caf8fb6ff1dac86c68

SHA256
1fc3e49feaca9eb385ee025f60a87d712726ea29956fff47be3c30ce255e8fb6

SHA512
b5be4e6c57234b812c3903ebb551c8aea65c709c23e8e254c7bdb0144b1e54ef525e45d5a361b087cf0621b64654f5ead75d07d60ba4d0b0f2730318a588cb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\azwyk.exe

Filesize
241KB

MD5
aa44566cd9f789902a0d9da41b3bb0d8

SHA1
147f51f910a6e5fb3b38ca03c2ed2035d8163b0d

SHA256
4999b7dd18fc4e46c25534ce9f7c4c5168123ee7c27f158e12277e3bd923a97a

SHA512
5cb659998412c3df69e2b252f3c6fb74daf9c8d370ef44a16ed6616dc038eab849bf1205f3e6a74d6aae5f56a4fb6003abb3592470f1a3caa389bca2efd7693f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cd852d537c92cb80f041a45fb89f4648

SHA1
b655d83a7e0c8aa56c8196a813efd22a7aa57638

SHA256
bbba0fd5e1d3f67720035af40a659d2f99a40f52d8b2fdd2aa8ab11920e10ec1

SHA512
75fd9bdd30696d68dee5b6c76b615215b535bc7b4b9df02077539dbc02c24257ac3ca68bc712cbe6761dc1477288025bd71b10937ccb583715a882aea4b04b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyzei.exe

Filesize
324KB

MD5
c475a76599599d4519ff292108c5f777

SHA1
09bbae0de2af6ce19730d1374209bce3e64719b1

SHA256
ec3c6f88a063ab7c5d27575b360bd23056716295dcd0c8c91440d719bec13827

SHA512
d20f8c8377fe2f92204b201022e4baae9ed7dd664df3f25e184414e64bdd1ea947d504d977a24e619b436e1bceb03c5a86da06d8a8bcfcc82210fd0d6435f054

Download Submit
memory/1264-17-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1264-35-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1876-14-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1876-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4204-37-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4204-36-0x0000000000360000-0x0000000000416000-memory.dmp

Filesize
728KB

Download
memory/4204-39-0x0000000000360000-0x0000000000416000-memory.dmp

Filesize
728KB

Download
memory/4204-40-0x0000000000360000-0x0000000000416000-memory.dmp

Filesize
728KB

Download
memory/4204-41-0x0000000000360000-0x0000000000416000-memory.dmp

Filesize
728KB

Download
memory/4204-42-0x0000000000360000-0x0000000000416000-memory.dmp

Filesize
728KB

Download
memory/4204-43-0x0000000000360000-0x0000000000416000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads