urelas | 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02

General

Target

4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
Size

660KB
MD5

3251cb0860e7baaf7de35db27328da62
SHA1

b4c461c408d7bddb5b431c1a73b3cdf21709b18d
SHA256

4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02
SHA512

0059cb85e1116bcf6c53dc8c92cda2d6d14b7309a99c5599d6c9238ee8b808e0dc6e694f7f9fe8d3acdb78253a0198c04b013a6eaa6fcb949170c62bd3e208fb
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqLS:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0s

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1048 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

menyg.exeagkoz.exe

pid process

2936 menyg.exe
1524 agkoz.exe
Loads dropped DLL 2 IoCs

Processes:

4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exemenyg.exe

pid process

1852 4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
2936 menyg.exe

pid	process
1048	cmd.exe

pid	process
2936	menyg.exe
1524	agkoz.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1852-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\menyg.exe	upx
behavioral1/memory/2936-17-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1852-18-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2936-21-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\agkoz.exe	upx
behavioral1/memory/2936-27-0x0000000003330000-0x00000000033EA000-memory.dmp	upx
behavioral1/memory/2936-29-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1524-30-0x0000000000C70000-0x0000000000D2A000-memory.dmp	upx
behavioral1/memory/1524-31-0x0000000000C70000-0x0000000000D2A000-memory.dmp	upx
behavioral1/memory/1524-32-0x0000000000C70000-0x0000000000D2A000-memory.dmp	upx
behavioral1/memory/1524-33-0x0000000000C70000-0x0000000000D2A000-memory.dmp	upx
behavioral1/memory/1524-34-0x0000000000C70000-0x0000000000D2A000-memory.dmp	upx
behavioral1/memory/1524-35-0x0000000000C70000-0x0000000000D2A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exemenyg.exeagkoz.exe4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	menyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agkoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exemenyg.exeagkoz.exe

pid	process
1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
2936	menyg.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe
1524	agkoz.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exemenyg.exe

description	pid	process	target process
PID 1852 wrote to memory of 2936	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	menyg.exe
PID 1852 wrote to memory of 2936	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	menyg.exe
PID 1852 wrote to memory of 2936	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	menyg.exe
PID 1852 wrote to memory of 2936	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	menyg.exe
PID 1852 wrote to memory of 1048	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	cmd.exe
PID 1852 wrote to memory of 1048	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	cmd.exe
PID 1852 wrote to memory of 1048	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	cmd.exe
PID 1852 wrote to memory of 1048	1852	4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe	cmd.exe
PID 2936 wrote to memory of 1524	2936	menyg.exe	agkoz.exe
PID 2936 wrote to memory of 1524	2936	menyg.exe	agkoz.exe
PID 2936 wrote to memory of 1524	2936	menyg.exe	agkoz.exe
PID 2936 wrote to memory of 1524	2936	menyg.exe	agkoz.exe

C:\Users\Admin\AppData\Local\Temp\4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe
"C:\Users\Admin\AppData\Local\Temp\4e4b7a242a9581b57b4054c9d418d03654e8d826afd3617e46f5eb88639f9a02.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\menyg.exe
  "C:\Users\Admin\AppData\Local\Temp\menyg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\agkoz.exe
    "C:\Users\Admin\AppData\Local\Temp\agkoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
b5d7e82c11d42300f1bd6b48c1ee79fc

SHA1
2d94b64506c949a244560edc529f18f71e8ff36c

SHA256
dda2262ad63b118de3301081e95a6168dc042c51876ba180ecd072c8dd1cb5b5

SHA512
225fa8d76aaf11a7474fc541f7f2c9d9e08d741909015ebf4631ad70afc568f7f27f6200ced896e38a3b2e0ae4ac2a2914dc61a7ec21941eee9742f93abdbbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b2637e3ec1ce5a54fb12b7e16c727add

SHA1
fc101146fa931dd20cbc02a366ef300ba955e6f8

SHA256
1a0eacce86f410ec04c1cbc134732e0c17a562341f8acd76a329df7772498df7

SHA512
624006e34ad58b98b8db0735236de72a9ad375679408d1a61caf2f23af3b22294b8bb6304babf7c1d818c5d9355b3c0f6103b5184dbb8d7f87a22ca9c1f2fc9c

Download Submit
\Users\Admin\AppData\Local\Temp\agkoz.exe

Filesize
243KB

MD5
f14b7daecc8c94479a2508e459356ac3

SHA1
77017c9fe07059505a8ccb4ed0f0ae6919c74cc9

SHA256
cd8d7b71f51a4e0d82e91e8a9900dac612904dbafef1d8bd7f53b8f8e5f3e0c2

SHA512
ac63e7baa2c1bbe7ac4d00a3ddd52ca8ff30a9b8ed5bdc99fc8655d1b518cd128edafab9f6940c6dac10b1b7dd7425b1f0521950f584366c4513b3c1f88d1133

Download Submit
\Users\Admin\AppData\Local\Temp\menyg.exe

Filesize
660KB

MD5
0b7d6de30fc866324a2b1dcadfaa7a2d

SHA1
68c20d2c40251255f11cfd4031df940896c22b5c

SHA256
d071cb55294b064d25be762e65c9894cc607f95a2d4a14e2a0d69cc7f201d00b

SHA512
2e7c10497802223cc630fc28c52982682a5c92087cee7d208fee8f01d8cb478b0dbd41659b236ef9db36bf9e58794bd9b0ab0d13551f7de4d137a99a9e8de385

Download Submit
memory/1524-31-0x0000000000C70000-0x0000000000D2A000-memory.dmp

Filesize
744KB

Download
memory/1524-30-0x0000000000C70000-0x0000000000D2A000-memory.dmp

Filesize
744KB

Download
memory/1524-32-0x0000000000C70000-0x0000000000D2A000-memory.dmp

Filesize
744KB

Download
memory/1524-33-0x0000000000C70000-0x0000000000D2A000-memory.dmp

Filesize
744KB

Download
memory/1524-34-0x0000000000C70000-0x0000000000D2A000-memory.dmp

Filesize
744KB

Download
memory/1524-35-0x0000000000C70000-0x0000000000D2A000-memory.dmp

Filesize
744KB

Download
memory/1852-18-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1852-8-0x0000000002590000-0x0000000002635000-memory.dmp

Filesize
660KB

Download
memory/1852-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2936-21-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2936-17-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2936-27-0x0000000003330000-0x00000000033EA000-memory.dmp

Filesize
744KB

Download
memory/2936-29-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads