urelas | 67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4

General

Target

67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
Size

1.1MB
MD5

6c05c592710f20eb6afa9ee7a51b4feb
SHA1

a37aad986781a951ab9b698b81e24f1ff3f4cef9
SHA256

67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4
SHA512

8216de200c2ecc00874f1228013564f73c9fe39bd129cc1654f8167f64f54325c703f74c9c2f505f8cfb3ee537563fe2c955e56c9355370f81e43943e096481b
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YH:tcykpY5852j6aJGl5cqBa

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3024	xeicp.exe
2836	udsomi.exe
1812	nenyt.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
3024	xeicp.exe
3024	xeicp.exe
2836	udsomi.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000015ca4-39.dat	upx
behavioral1/memory/2836-43-0x0000000004100000-0x0000000004299000-memory.dmp	upx
behavioral1/memory/1812-45-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1812-58-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeicp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udsomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nenyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1812	nenyt.exe
1812	nenyt.exe
1812	nenyt.exe
1812	nenyt.exe
1812	nenyt.exe
1812	nenyt.exe
1812	nenyt.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3024	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	30
PID 2244 wrote to memory of 3024	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	30
PID 2244 wrote to memory of 3024	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	30
PID 2244 wrote to memory of 3024	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	30
PID 2244 wrote to memory of 2968	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	31
PID 2244 wrote to memory of 2968	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	31
PID 2244 wrote to memory of 2968	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	31
PID 2244 wrote to memory of 2968	2244	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	31
PID 3024 wrote to memory of 2836	3024	xeicp.exe	33
PID 3024 wrote to memory of 2836	3024	xeicp.exe	33
PID 3024 wrote to memory of 2836	3024	xeicp.exe	33
PID 3024 wrote to memory of 2836	3024	xeicp.exe	33
PID 2836 wrote to memory of 1812	2836	udsomi.exe	35
PID 2836 wrote to memory of 1812	2836	udsomi.exe	35
PID 2836 wrote to memory of 1812	2836	udsomi.exe	35
PID 2836 wrote to memory of 1812	2836	udsomi.exe	35
PID 2836 wrote to memory of 1564	2836	udsomi.exe	36
PID 2836 wrote to memory of 1564	2836	udsomi.exe	36
PID 2836 wrote to memory of 1564	2836	udsomi.exe	36
PID 2836 wrote to memory of 1564	2836	udsomi.exe	36

C:\Users\Admin\AppData\Local\Temp\67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
"C:\Users\Admin\AppData\Local\Temp\67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\xeicp.exe
  "C:\Users\Admin\AppData\Local\Temp\xeicp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\udsomi.exe
    "C:\Users\Admin\AppData\Local\Temp\udsomi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\nenyt.exe
      "C:\Users\Admin\AppData\Local\Temp\nenyt.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
3c330fe28b57490314426d956167b72e

SHA1
081d71fff01a0191f67553d7cf19d159193ec5f9

SHA256
c2f981349ab5381974320a49741b76febf21864c6339cc883a75aa6f4d25dfe5

SHA512
f7c290743da3f10fabaebafcccc5118d1e20acd83a897b53afaf0728efe00dcfb83ce1220c8625ef0fe5874ae1f188a80b3568fbc8af702dab586a2661b23229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
853941fd45c026049fa4ad6b2f478f65

SHA1
15eb63c6de3f6ff0cc293e857a762613b30af394

SHA256
edcdcec37ce9b562eb5fdcb5e11f24048d0e75199e0db94a558ef25d561c31fa

SHA512
4ee8cc936be449665b603fa1b301b30f7900604d38559563445e8ec0612e9dfb0c9a18afb88c838adbb93fa82683996f33611d16ef729ed0a842909de36c93a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6c6a5f272db9e71442a0999c384c0805

SHA1
d6419569d9291b550cf06a82ba655340770b4cbf

SHA256
64d14f81e3d82345e9b65db11f0a9cb1645b8e2111a9e7e486a6d2df1eadfdae

SHA512
db4fdcbcadfd0972c75b5551c8642828e1725a0fc05dd42ebddf3377949b5c23c2e319b5b6e04ace01ab94b7d2e15046fbd3e13dee45a286c77c8653fe2a4d4b

Download Submit
\Users\Admin\AppData\Local\Temp\nenyt.exe

Filesize
459KB

MD5
88bfc1632f05d5f8356327cc1d2a67d2

SHA1
7ebf89c5e81cd9e1cbe03833e422eea850cf4e90

SHA256
8b58aaf00fdd20cd9714f50354bd469d591b200f20a5dd8836d8b88a22edc34b

SHA512
661e6f1045146ceed3ff4c3995d1a6e7802eb16ae510ad40c88cf1112ee26892a4348ea3b2a918c98263e326c9360a3ac432ef94c9453e4f21c0bbd69ca0e587

Download Submit
\Users\Admin\AppData\Local\Temp\xeicp.exe

Filesize
1.1MB

MD5
59d0c4db2786f4b6fac5dad551b8eb9d

SHA1
f86726634dbf1fe01fc97984aae8c413d700a07e

SHA256
f8d13dd33ac7386d4785c7a3ba6512423928e741704b572992731420fc6c26df

SHA512
7048fd63c6133feb63f04a18f9ad393cd2c353c8fb61894f3fecadb06bc89ba0c23f378c600b9f9a3ebe2702f73ec94b5f22e84291668402cc31ddcbbe33c3e0

Download Submit
memory/1812-45-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1812-58-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2244-22-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2244-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2836-35-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2836-43-0x0000000004100000-0x0000000004299000-memory.dmp

Filesize
1.6MB

Download
memory/2836-53-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2836-34-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3024-32-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3024-33-0x0000000003330000-0x0000000003454000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing