urelas | a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37

General

Target

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
Size

467KB
MD5

527477530432c9adb0863a0d696aa4f6
SHA1

840de359cbf7a47a7fccf2d2083318cf0c582f67
SHA256

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37
SHA512

fca91cec513dae8bbe93710e97662f47ea38002e8d9bf296a2baac027dbf7284046cb65887e9459c739ce264c96ae96b4aaaf69a6c1a46b56f20692ede841963
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UQ:m6tQCG0UUPzEkTn4AC1+p

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3008	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

etpyn.exelaxoj.exe

pid	Process
2748	etpyn.exe
2668	laxoj.exe

Loads dropped DLL 2 IoCs

Processes:

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exeetpyn.exe

pid	Process
2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
2748	etpyn.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2668-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-28.dat	upx
behavioral1/memory/2668-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2668-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2668-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exeetpyn.execmd.exelaxoj.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etpyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laxoj.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

laxoj.exe

pid	Process
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe
2668	laxoj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exeetpyn.exe

description	pid	Process	procid_target
PID 2136 wrote to memory of 2748	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	30
PID 2136 wrote to memory of 2748	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	30
PID 2136 wrote to memory of 2748	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	30
PID 2136 wrote to memory of 2748	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	30
PID 2136 wrote to memory of 3008	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	31
PID 2136 wrote to memory of 3008	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	31
PID 2136 wrote to memory of 3008	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	31
PID 2136 wrote to memory of 3008	2136	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	31
PID 2748 wrote to memory of 2668	2748	etpyn.exe	34
PID 2748 wrote to memory of 2668	2748	etpyn.exe	34
PID 2748 wrote to memory of 2668	2748	etpyn.exe	34
PID 2748 wrote to memory of 2668	2748	etpyn.exe	34

C:\Users\Admin\AppData\Local\Temp\a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
"C:\Users\Admin\AppData\Local\Temp\a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\etpyn.exe
  "C:\Users\Admin\AppData\Local\Temp\etpyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\laxoj.exe
    "C:\Users\Admin\AppData\Local\Temp\laxoj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
3ed3ab54162ffad4adc0078434508672

SHA1
98a1b1113499d71afc62c6fb9cf383def57634a8

SHA256
c87d8f9732e9e3c32e90e50c870fd08286c9fa6e7400d7521b5287693f225f24

SHA512
df284bc5ac9c960a56ec852283c0950baafadf4288738eb7b4bfa1cf06a19f28bd6bfe362a300e054adbf9d846144b490958cea3c9cf5f0bafafeeb926f0d4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c2bb2337dc892c33c0394335b02cfec1

SHA1
19f7cfdabbb9135f265483fe52999a16d57d44be

SHA256
9c587787d8bb3c2e9cf358e2ed2b838f1382c0141783aa0aab600c889b9bee71

SHA512
dd5699d749c602314a2c5cd92ebac39460014a0bc655a4ba54a746e8d2c1ac468143925447e50b60f9d18587312d6f76f042ecba30069d7aa904867c9e808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\laxoj.exe

Filesize
198KB

MD5
7e813810b6e97a6e6a063720c8141975

SHA1
e2aec8c4f3697f93854655cc99a6e4ba01c97479

SHA256
890a89967054d37bd595bf0944470a5c666b30e69367c31ae2cc611742996e86

SHA512
7118658319d5ab50bef7ce245b12358204f0d7411c3c94415326d7392bfaa297f5312d305e28bd9e0171d40f6794e50cf0b7bfd95349d39a361e497e32d90044

Download Submit
\Users\Admin\AppData\Local\Temp\etpyn.exe

Filesize
467KB

MD5
0fba9847a22383e243b8a3bd4b063ab5

SHA1
643d4f3211d5ed23d1a6d8e20b27e35984ce77e3

SHA256
2f3f06c043b8299493218b75c8e7152e3bbb3506e5d387c21224eeb4a16c9cdd

SHA512
4331aeb56038d819e02b2a8eea97bf7b13a7000606fc14ea5c67d538351656c9e36311fa3177999e3305e35c22ed1c79db068073fc290fdf0d2df76ebc0f0318

Download Submit
memory/2136-6-0x00000000025E0000-0x000000000265C000-memory.dmp

Filesize
496KB

Download
memory/2136-18-0x0000000000110000-0x000000000018C000-memory.dmp

Filesize
496KB

Download
memory/2136-0-0x0000000000110000-0x000000000018C000-memory.dmp

Filesize
496KB

Download
memory/2668-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2668-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2668-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2668-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2748-10-0x0000000001390000-0x000000000140C000-memory.dmp

Filesize
496KB

Download
memory/2748-21-0x0000000001390000-0x000000000140C000-memory.dmp

Filesize
496KB

Download
memory/2748-27-0x0000000001390000-0x000000000140C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads