urelas | 44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c

General

Target

44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
Size

536KB
MD5

f9af706df4dcec928ce28ba9db8d2585
SHA1

e35a65fc775be9cd630ccf7fcd09ee240d27f899
SHA256

44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c
SHA512

9e0b5070cc1a0000f6ff0040ce0e8f36cf964100a9350b2907674d3b9bdf5c7a6c61fea074732b6294fb869952aa1bcc7b3ab2a8c2ea1fa70d93e7e92a0a8988
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2T:cLjQC+bs0YOT

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1096	puadg.exe
2632	biuje.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
1096	puadg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x000e000000017467-4.dat	upx
behavioral1/memory/2756-17-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1096-18-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1096-21-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1096-29-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biuje.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe
2632	biuje.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1096	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 2756 wrote to memory of 1096	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 2756 wrote to memory of 1096	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 2756 wrote to memory of 1096	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	31
PID 2756 wrote to memory of 2800	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	32
PID 2756 wrote to memory of 2800	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	32
PID 2756 wrote to memory of 2800	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	32
PID 2756 wrote to memory of 2800	2756	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	32
PID 1096 wrote to memory of 2632	1096	puadg.exe	34
PID 1096 wrote to memory of 2632	1096	puadg.exe	34
PID 1096 wrote to memory of 2632	1096	puadg.exe	34
PID 1096 wrote to memory of 2632	1096	puadg.exe	34

C:\Users\Admin\AppData\Local\Temp\44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
"C:\Users\Admin\AppData\Local\Temp\44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\puadg.exe
  "C:\Users\Admin\AppData\Local\Temp\puadg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\biuje.exe
    "C:\Users\Admin\AppData\Local\Temp\biuje.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
db38cec0ed48155f1663628226e380d0

SHA1
916c83b08db52972e4f13d6ebd0c4c9287ae75d8

SHA256
f3fbb75ef764e7bbca6ba076b984895051ffced4e18c848c4bf7d8b49d598bdf

SHA512
8c685dda2992911f662e7906161bfa9232739b1a2bda85cfe342ca8ff0fe6adbbd54e10c3c838426e1aaa85ec17126ef9311d8091b57a25aed1013a13d483f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
29f5758b78c7e7a1032946c02a0fcadf

SHA1
ecee998974651dc46c05b6af2c5763dbd7f0a7c9

SHA256
65e18bb2e069689cd71974b6ebaff8a7d0af0da7a536cacc46480f67733d327d

SHA512
2f2c6724431d6ef366ae249000da91e0a0d36152ea41bab0e54564561b02e7e7b45a5b9805969ee2ae6daa2b4f2cb9ce40138a06a06f8f1d88449acca4d6ac80

Download Submit
\Users\Admin\AppData\Local\Temp\biuje.exe

Filesize
241KB

MD5
ab044751b2494ad6601dd9083a776906

SHA1
b12c15d08d95dc69f6fdd16343a5cd6c20ebe02e

SHA256
dc056a8c737bad1a39d1dfbdefc010d31083a35673ad8c5389d0b087d1ae3344

SHA512
af055ce08c6a764ebdbf33b15c8902add7325090d8d874d745e7b6a9fa9188b2b3606ffb1231d46f6fd0dbd64a560dd8aaa45ef219ad5326810e3ddd50ed3a53

Download Submit
\Users\Admin\AppData\Local\Temp\puadg.exe

Filesize
536KB

MD5
0dbf636c577f7202ab4e395cac6b6fc9

SHA1
a77c64315e5d968b7bc96f72ede1c9f7ea96ef81

SHA256
cceaede1791378e9724d55f022ed45390483d47c76f99e6d247eecec958b996e

SHA512
bb8b9350c1a5965d6e50eb585955ee22a6e387ae1b02459d29228250a9275771e8ce92a14e170ccc50d0bfe070003ba3d9baa9643c94f4750f345156e1e9af55

Download Submit
memory/1096-27-0x0000000003C70000-0x0000000003D26000-memory.dmp

Filesize
728KB

Download
memory/1096-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1096-18-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1096-21-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2632-30-0x00000000009F0000-0x0000000000AA6000-memory.dmp

Filesize
728KB

Download
memory/2632-32-0x00000000009F0000-0x0000000000AA6000-memory.dmp

Filesize
728KB

Download
memory/2632-33-0x00000000009F0000-0x0000000000AA6000-memory.dmp

Filesize
728KB

Download
memory/2756-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2756-15-0x0000000002530000-0x00000000025BB000-memory.dmp

Filesize
556KB

Download
memory/2756-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing