urelas | 44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c

General

Target

44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
Size

536KB
MD5

f9af706df4dcec928ce28ba9db8d2585
SHA1

e35a65fc775be9cd630ccf7fcd09ee240d27f899
SHA256

44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c
SHA512

9e0b5070cc1a0000f6ff0040ce0e8f36cf964100a9350b2907674d3b9bdf5c7a6c61fea074732b6294fb869952aa1bcc7b3ab2a8c2ea1fa70d93e7e92a0a8988
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2T:cLjQC+bs0YOT

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	iznul.exe

Executes dropped EXE 2 IoCs

pid	Process
4308	iznul.exe
4836	cooxr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2860-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/files/0x000b000000023b92-6.dat	upx
behavioral2/memory/2860-13-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4308-16-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4308-24-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iznul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cooxr.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe
4836	cooxr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4308	2860	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	85
PID 2860 wrote to memory of 4308	2860	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	85
PID 2860 wrote to memory of 4308	2860	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	85
PID 2860 wrote to memory of 384	2860	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	86
PID 2860 wrote to memory of 384	2860	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	86
PID 2860 wrote to memory of 384	2860	44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe	86
PID 4308 wrote to memory of 4836	4308	iznul.exe	106
PID 4308 wrote to memory of 4836	4308	iznul.exe	106
PID 4308 wrote to memory of 4836	4308	iznul.exe	106

C:\Users\Admin\AppData\Local\Temp\44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe
"C:\Users\Admin\AppData\Local\Temp\44381f30ef26a7aacb7c46902406f9f9e7c4d504c7be7cc997acc7275a3a595c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\iznul.exe
  "C:\Users\Admin\AppData\Local\Temp\iznul.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\cooxr.exe
    "C:\Users\Admin\AppData\Local\Temp\cooxr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
db38cec0ed48155f1663628226e380d0

SHA1
916c83b08db52972e4f13d6ebd0c4c9287ae75d8

SHA256
f3fbb75ef764e7bbca6ba076b984895051ffced4e18c848c4bf7d8b49d598bdf

SHA512
8c685dda2992911f662e7906161bfa9232739b1a2bda85cfe342ca8ff0fe6adbbd54e10c3c838426e1aaa85ec17126ef9311d8091b57a25aed1013a13d483f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooxr.exe

Filesize
241KB

MD5
7a0851aabe9e2544b05b6bab568d29f3

SHA1
6ce0d7bd296663b4b5542e89e1317cd55964a0a5

SHA256
4fc5f55b8a4d07938421c6b616ff1ec5803eaf18cfaa74265df40d673269be80

SHA512
1db2788b8e724fa3d64450220319b560d9db59205df043694970421b8ebe480d468b363d6eee66829d1510abd423e7963be690fb2d5ca44d18140d1a68b19c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
de77925bb4b82c913cf4756d57b0c891

SHA1
b94e05d2a05fcc0d5e56089dabc4603ef565f25b

SHA256
da1cd906a7cbb17fff15ca4b8683507399879773d4f1a481b0e7c66068d74b11

SHA512
f498311d8073adfed43d5fbbabb56e654bbda307e9e3288fcbcb2ea381b24ebee217610586661a89036900c6783479e130d387d4ab7835fcc3647856b5846cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iznul.exe

Filesize
536KB

MD5
67c862f3c43a0e4be1251b1e82e9e862

SHA1
8953bcc71fc4439310abd464267fae49b6ba6abd

SHA256
c538ad2e5208043d13f714647864038e7dabeb594adaf837ab550cb2553c572f

SHA512
c56e044893b7b77316a22051a868547c4515625abb3116d30a4c3247443a55d5a66274e36617092e36728f7e14ae2378e669a75fa4d5a5ed84240ef7426ddb7a

Download Submit
memory/2860-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2860-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4308-16-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4308-24-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4836-25-0x0000000000120000-0x00000000001D6000-memory.dmp

Filesize
728KB

Download
memory/4836-27-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4836-29-0x0000000000120000-0x00000000001D6000-memory.dmp

Filesize
728KB

Download
memory/4836-30-0x0000000000120000-0x00000000001D6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing