urelas | a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37

General

Target

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
Size

467KB
MD5

527477530432c9adb0863a0d696aa4f6
SHA1

840de359cbf7a47a7fccf2d2083318cf0c582f67
SHA256

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37
SHA512

fca91cec513dae8bbe93710e97662f47ea38002e8d9bf296a2baac027dbf7284046cb65887e9459c739ce264c96ae96b4aaaf69a6c1a46b56f20692ede841963
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UQ:m6tQCG0UUPzEkTn4AC1+p

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exesoxeu.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	soxeu.exe

Executes dropped EXE 2 IoCs

Processes:

soxeu.exekexey.exe

pid	Process
4516	soxeu.exe
2400	kexey.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0003000000000707-22.dat	upx
behavioral2/memory/2400-26-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2400-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2400-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2400-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exesoxeu.execmd.exekexey.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soxeu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kexey.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

kexey.exe

pid	Process
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe
2400	kexey.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exesoxeu.exe

description	pid	Process	procid_target
PID 2420 wrote to memory of 4516	2420	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	83
PID 2420 wrote to memory of 4516	2420	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	83
PID 2420 wrote to memory of 4516	2420	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	83
PID 2420 wrote to memory of 3084	2420	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	84
PID 2420 wrote to memory of 3084	2420	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	84
PID 2420 wrote to memory of 3084	2420	a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe	84
PID 4516 wrote to memory of 2400	4516	soxeu.exe	103
PID 4516 wrote to memory of 2400	4516	soxeu.exe	103
PID 4516 wrote to memory of 2400	4516	soxeu.exe	103

C:\Users\Admin\AppData\Local\Temp\a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe
"C:\Users\Admin\AppData\Local\Temp\a99edfd1e744ff1278d9d0ce6a14e63a95b712023b676b8009f77d50caebfc37.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\soxeu.exe
  "C:\Users\Admin\AppData\Local\Temp\soxeu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\kexey.exe
    "C:\Users\Admin\AppData\Local\Temp\kexey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
3ed3ab54162ffad4adc0078434508672

SHA1
98a1b1113499d71afc62c6fb9cf383def57634a8

SHA256
c87d8f9732e9e3c32e90e50c870fd08286c9fa6e7400d7521b5287693f225f24

SHA512
df284bc5ac9c960a56ec852283c0950baafadf4288738eb7b4bfa1cf06a19f28bd6bfe362a300e054adbf9d846144b490958cea3c9cf5f0bafafeeb926f0d4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
95cc90ad49cbabe6e7705d88741eb8cb

SHA1
5a6cd3e4976471e5240b4a7acb7a7879db23f50a

SHA256
c3da4531cd40f600ce3e98b59926cb1e57ccd33d18f8bb401800991b7f6e4781

SHA512
507265a17c2f3fbed4afe5c3db4f8911010583809058e4ae21cb5e123e6ce416dfce9b43795e8cb3eeb3b236458d8f63171092a0084876d934c518dee4431b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kexey.exe

Filesize
198KB

MD5
9a95293bd29de4ce6210ce1d213399b0

SHA1
137735a490cdb65b87c2dac85bea013f0f1ef976

SHA256
4b08afa698bb5b3f1c06a26154d473f36aed3027a426d37b75714d66e08dd4ed

SHA512
83e830dcd1cfc14b3bf14af8f2198d6df896a6681338b9661a3a7fd7c04eeb7037f80d8df467eb2c8696b1953d3e0c809e16967e31873002ad205838ca497fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\soxeu.exe

Filesize
467KB

MD5
ba61bc553a31a010340103e309a719e1

SHA1
23415f4bdd496c224c3d116b23f9ed8ccae286f7

SHA256
0054a04967e52c6d7555f41f97f0ec3b841088aac7fb775355bed4053bcb034b

SHA512
a9c9257ac88e7aab47eccd31e7b731a33196f0436264e764c3b8b09d0424a32128ff8f29b115dd5e826195863ebfff17914a2102f056cf21e9a8e885ef5368ec

Download Submit
memory/2400-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2400-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2400-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2400-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2420-14-0x0000000000500000-0x000000000057C000-memory.dmp

Filesize
496KB

Download
memory/2420-0-0x0000000000500000-0x000000000057C000-memory.dmp

Filesize
496KB

Download
memory/4516-17-0x0000000000610000-0x000000000068C000-memory.dmp

Filesize
496KB

Download
memory/4516-27-0x0000000000610000-0x000000000068C000-memory.dmp

Filesize
496KB

Download
memory/4516-10-0x0000000000610000-0x000000000068C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads