urelas | 4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb

General

Target

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
Size

542KB
MD5

7cb2da7a368758901ae50496e1ab8409
SHA1

67462ee2244a439670ddc83b9476d04b1d291eed
SHA256

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb
SHA512

f91c7691a5e5d93e98cf00a2b6911cc0a549462eb3e38e107697b154a2b830ce0659ac6cc02e151258c913f1fd3d3e74faee68b1082e310d38444713e4bb0484
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuK:92SLi70T7MifjR

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2704 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

vabui.exeejrez.exe

pid process

2820 vabui.exe
2428 ejrez.exe
Loads dropped DLL 2 IoCs

Processes:

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exevabui.exe

pid process

2816 4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
2820 vabui.exe

pid	process
2704	cmd.exe

pid	process
2820	vabui.exe
2428	ejrez.exe

pid	process
2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
2820	vabui.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2816-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\vabui.exe	upx
behavioral1/memory/2820-10-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2816-18-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2820-21-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2820-28-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exevabui.execmd.exeejrez.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vabui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejrez.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ejrez.exe

pid	process
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe
2428	ejrez.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exevabui.exe

description	pid	process	target process
PID 2816 wrote to memory of 2820	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	vabui.exe
PID 2816 wrote to memory of 2820	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	vabui.exe
PID 2816 wrote to memory of 2820	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	vabui.exe
PID 2816 wrote to memory of 2820	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	vabui.exe
PID 2816 wrote to memory of 2704	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	cmd.exe
PID 2816 wrote to memory of 2704	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	cmd.exe
PID 2816 wrote to memory of 2704	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	cmd.exe
PID 2816 wrote to memory of 2704	2816	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	cmd.exe
PID 2820 wrote to memory of 2428	2820	vabui.exe	ejrez.exe
PID 2820 wrote to memory of 2428	2820	vabui.exe	ejrez.exe
PID 2820 wrote to memory of 2428	2820	vabui.exe	ejrez.exe
PID 2820 wrote to memory of 2428	2820	vabui.exe	ejrez.exe

C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
"C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\vabui.exe
  "C:\Users\Admin\AppData\Local\Temp\vabui.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\ejrez.exe
    "C:\Users\Admin\AppData\Local\Temp\ejrez.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b8b3786bea09df4dacdda40fa528792b

SHA1
8ed746037a2ffe98e00f5ae2f82b814883a994de

SHA256
5a89a5a62b7449a512e0c173968af37c730d348158bc1f5c914b372d0838bda8

SHA512
979f9494f9270cf190ba63b163ecff1ffb4fff1ed234294e76b52547124595d62ca61b1d8cee376f6d8281f3f52191fee27a7494527512b1255b4ce60c976ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
14df7c78bc1c06fc572a1a0a2765809b

SHA1
d21e2e4801b3e58213e27d16f08845b6a7b25af8

SHA256
29b791c1d8c55cc069ae26b0d4adfce0f2277e532a4a0f20d95129e9c4528014

SHA512
ca6ba15c1988b960067f16c81ba93f84adbbd58f9850d0ceacbf10dc290e4be2b2ae4ec844c493d5901e18e7428120eda4f0e4e2e1d50481bfa5d730dce7cefa

Download Submit
\Users\Admin\AppData\Local\Temp\ejrez.exe

Filesize
230KB

MD5
667bd0d40b0fa31091a3df16980614f3

SHA1
24a37fd42175d59120a9a95346543b9c1111abc3

SHA256
e09baba23f5ab7e6cccb9d331d51d9e86cfbbf776c4e8fd03a6f62257dda3085

SHA512
2138e47aa3c689bbb3346fafba33ac80ec7520e6a03b7e9e392afecedd00490998f96cff25ebb358466019def0b6db819b4fad3ab07322dfff9dd1bab102a4b9

Download Submit
\Users\Admin\AppData\Local\Temp\vabui.exe

Filesize
542KB

MD5
51b6d2938665df82d8fe28eb0680f43a

SHA1
fbb0e028cf1483165a2bf9984c879d816dc5e9f0

SHA256
83ee7cef8a79890a6a6d406b32b4150d22b1270a4c6306b10e4f55a821e11897

SHA512
093f4b66cd919d740dd2ed8ff54adafc89c7268146e854805c3d9403ffaf1049ad06dc62dc0d5fae4d7cb55792c2d42c3a0f37829ba43c4e6ac6ca563cfd9ee3

Download Submit
memory/2428-29-0x00000000011D0000-0x0000000001283000-memory.dmp

Filesize
716KB

Download
memory/2428-31-0x00000000011D0000-0x0000000001283000-memory.dmp

Filesize
716KB

Download
memory/2428-32-0x00000000011D0000-0x0000000001283000-memory.dmp

Filesize
716KB

Download
memory/2816-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2816-8-0x0000000002C20000-0x0000000002CA7000-memory.dmp

Filesize
540KB

Download
memory/2816-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2820-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2820-10-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2820-28-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads