urelas | a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280

General

Target

a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
Size

557KB
MD5

7fe3c05a108db999797fe06051691586
SHA1

2b44f9d07a02e336dc6c9742b064a21340cedc88
SHA256

a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280
SHA512

e95fb30851baba7b2076ddc18fcca1d63dbbb9c602082bab3c010073cdfeebe10a71c88c55601cbb84f175ac3a2f8d9ddbe7141c1b6ba208b8606ac33a24c471
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyT:znPfQp9L3olqFT

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sepot.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	sepot.exe
964	topoe.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1276-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x0008000000023bf9-6.dat	upx
behavioral2/memory/1276-13-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1992-16-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1992-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sepot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	topoe.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe
964	topoe.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1992	1276	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	84
PID 1276 wrote to memory of 1992	1276	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	84
PID 1276 wrote to memory of 1992	1276	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	84
PID 1276 wrote to memory of 4312	1276	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	85
PID 1276 wrote to memory of 4312	1276	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	85
PID 1276 wrote to memory of 4312	1276	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	85
PID 1992 wrote to memory of 964	1992	sepot.exe	94
PID 1992 wrote to memory of 964	1992	sepot.exe	94
PID 1992 wrote to memory of 964	1992	sepot.exe	94

C:\Users\Admin\AppData\Local\Temp\a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
"C:\Users\Admin\AppData\Local\Temp\a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\sepot.exe
  "C:\Users\Admin\AppData\Local\Temp\sepot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\topoe.exe
    "C:\Users\Admin\AppData\Local\Temp\topoe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b3ce5c1b79472fa7760a9cc0061075e5

SHA1
821a121ce2e23654efa7771d65fbe33bbf096eea

SHA256
cd5eb434e04e6db59d9d7be262689599ae0217ee48a45483f347106eb6a9f005

SHA512
184dc97c249581b992a5d81d819e8aeacd93b30f355afb2b32bbd2e4cbece549ecfab409261ecd2575659f2fa85340e7abf940e275a7c1b16bb2b8343345d009

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4aa132febdb7f96c8b5c4f0c04329885

SHA1
e21b709203f171b4d48469d9f84f5d2aab325e8d

SHA256
f50cd4a4022455d5a1ecc6cc5df809db5e27be9f3581358a3794d8ee49023bc3

SHA512
f11eafe791fd213afbe461851e754a7acf0400bd35f8526a41222e1be0f2bcada131629c4b430bb490583bd4f587d6a8baff8a5d0cbcd3b235d3cecd5e8b1c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sepot.exe

Filesize
558KB

MD5
dd79e12eb22f2eec4eff296fe66ccd37

SHA1
8090afa5709e4d218eb133b912a1ef218fbc8775

SHA256
94443f433b5e560c40729bf7765c4755723820448153c87a5c97d5277655950f

SHA512
1c7035fde17bc24607921ef7a296381e33d0d09fea580554bfb8406f3a42d01b7997121e2d4a38ef199bbf2dbd3812d28ab1ff258d8b68efce75017246f2cbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\topoe.exe

Filesize
194KB

MD5
4507494046cc2c9cc663c676cd552c14

SHA1
8096ca61ad8f43b9cd509176925f33f0f59f1d2e

SHA256
de0ca63d7cf7013dc5eed2c8d8876cfc9735bf075273d25e301972122d9b4c4f

SHA512
5bfdc871d8a186fcff8f2a1aa7cf28663a416244812cce70149aa2dc58219711059b5e8a76c21804ef5d0616e943cf85fffec257f49248c701998f273202d04b

Download Submit
memory/964-26-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/964-25-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/964-30-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/964-29-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/964-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1276-13-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1276-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1992-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1992-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing