urelas | 67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4

General

Target

67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
Size

1.1MB
MD5

6c05c592710f20eb6afa9ee7a51b4feb
SHA1

a37aad986781a951ab9b698b81e24f1ff3f4cef9
SHA256

67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4
SHA512

8216de200c2ecc00874f1228013564f73c9fe39bd129cc1654f8167f64f54325c703f74c9c2f505f8cfb3ee537563fe2c955e56c9355370f81e43943e096481b
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YH:tcykpY5852j6aJGl5cqBa

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lexoyb.exe67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exeekrir.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lexoyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ekrir.exe

Executes dropped EXE 3 IoCs

Processes:

ekrir.exelexoyb.exeabvux.exe

pid	Process
2924	ekrir.exe
3584	lexoyb.exe
224	abvux.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0002000000021d5f-31.dat	upx
behavioral2/memory/224-37-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/224-42-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exeekrir.execmd.exelexoyb.exeabvux.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekrir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lexoyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abvux.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

abvux.exe

pid	Process
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe
224	abvux.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exeekrir.exelexoyb.exe

description	pid	Process	procid_target
PID 2740 wrote to memory of 2924	2740	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	81
PID 2740 wrote to memory of 2924	2740	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	81
PID 2740 wrote to memory of 2924	2740	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	81
PID 2740 wrote to memory of 4952	2740	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	82
PID 2740 wrote to memory of 4952	2740	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	82
PID 2740 wrote to memory of 4952	2740	67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe	82
PID 2924 wrote to memory of 3584	2924	ekrir.exe	84
PID 2924 wrote to memory of 3584	2924	ekrir.exe	84
PID 2924 wrote to memory of 3584	2924	ekrir.exe	84
PID 3584 wrote to memory of 224	3584	lexoyb.exe	94
PID 3584 wrote to memory of 224	3584	lexoyb.exe	94
PID 3584 wrote to memory of 224	3584	lexoyb.exe	94
PID 3584 wrote to memory of 3388	3584	lexoyb.exe	95
PID 3584 wrote to memory of 3388	3584	lexoyb.exe	95
PID 3584 wrote to memory of 3388	3584	lexoyb.exe	95

C:\Users\Admin\AppData\Local\Temp\67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe
"C:\Users\Admin\AppData\Local\Temp\67907b54a6df23b75d151a3825b0aa6b943ba1ea0acb95ee07c715efb14786c4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\ekrir.exe
  "C:\Users\Admin\AppData\Local\Temp\ekrir.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\lexoyb.exe
    "C:\Users\Admin\AppData\Local\Temp\lexoyb.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\abvux.exe
      "C:\Users\Admin\AppData\Local\Temp\abvux.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d0ac31c8e397c685fbdfe13d73814ca6

SHA1
9890d7e9342d749d9653c5a2abff8f7272eb2c33

SHA256
177c90ee4edef744ef6972e0e35bb890f1387eba4cab8ff366507c7be1a73e19

SHA512
f563ca9d82dd2b2f59947799b37ec8c43466a46aa21484341758d5bcc07a54a681b369896c5a2fd19c673cca5dce1c22df539dfb54ae67e5d113d6ffe4b4ff8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
3c330fe28b57490314426d956167b72e

SHA1
081d71fff01a0191f67553d7cf19d159193ec5f9

SHA256
c2f981349ab5381974320a49741b76febf21864c6339cc883a75aa6f4d25dfe5

SHA512
f7c290743da3f10fabaebafcccc5118d1e20acd83a897b53afaf0728efe00dcfb83ce1220c8625ef0fe5874ae1f188a80b3568fbc8af702dab586a2661b23229

Download Submit
C:\Users\Admin\AppData\Local\Temp\abvux.exe

Filesize
459KB

MD5
e991b95c2952f647c5b018e83a8b3895

SHA1
c39e405d9aa7f6fead3d6fb464d05b76d92be4df

SHA256
7fc12ceba83d82db14b427779b92131535d907e598131566a810cece8064ac68

SHA512
d421f660dc7fb393456c82a17b07c1d8c20e00e1d65017b60cf7013824ad0485d2e26d38a66a05259c90a1e4fa09b91a9117e02a8df9ab7051fb7a6fc6fb4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekrir.exe

Filesize
1.1MB

MD5
fda1065d416e0479ab565b3a60857f22

SHA1
969c2e30e520c505ae67d7539dbea1090af46ac1

SHA256
a3adfd2aef0d38b1fe7edda6097ff8d62008773d7c12c16501514934b4465c7d

SHA512
528ccb2313bb7f87d83c905e6a2e6d58a7b6f1dbdf66b16dd5eb740e8e8ba91a50e1b483a4808cb83c494ab85522b044715f191109de2f88dabbf10397f879c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c89eb320bd90d11906d23e1608697a49

SHA1
525098afba387baa22b08d5b4faab90824ebf26b

SHA256
08709a02c257739281f1a0a0bdae189a28a201d36fb30deb0b09c5ebff6fa397

SHA512
71ebcc2e07b1fd3273f0ecbd76171992de0f0197dc122f78943f6d1e8c82a803d862367d3f62672d5df035d34be93ff0be6d6772bec26d6a24a57863a656c655

Download Submit
memory/224-37-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/224-42-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2740-14-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2740-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2924-24-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3584-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3584-39-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads