urelas | c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32

General

Target

c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
Size

6.5MB
MD5

b42065846911937cc82d51116d7a47f0
SHA1

e806bdeed3689d796a093d7699cb05f6df434805
SHA256

c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32
SHA512

b38f502b35b3cb0c80889c86d670edf736a5ecde85e127fcef337635faa027c28a88d53f02e7bfdf61ef94ce0ed713d2e5b14c1df089d1dfb3674c07a9b9b9c0
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS/:i0LrA2kHKQHNk3og9unipQyOaO/

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	kimoe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ruvowe.exe

Executes dropped EXE 3 IoCs

pid	Process
4852	kimoe.exe
2440	ruvowe.exe
3948	ronyu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000705-63.dat	upx
behavioral2/memory/3948-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3948-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ronyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kimoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruvowe.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
4852	kimoe.exe
4852	kimoe.exe
2440	ruvowe.exe
2440	ruvowe.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe
3948	ronyu.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4852	2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	83
PID 2320 wrote to memory of 4852	2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	83
PID 2320 wrote to memory of 4852	2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	83
PID 2320 wrote to memory of 1804	2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	84
PID 2320 wrote to memory of 1804	2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	84
PID 2320 wrote to memory of 1804	2320	c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe	84
PID 4852 wrote to memory of 2440	4852	kimoe.exe	86
PID 4852 wrote to memory of 2440	4852	kimoe.exe	86
PID 4852 wrote to memory of 2440	4852	kimoe.exe	86
PID 2440 wrote to memory of 3948	2440	ruvowe.exe	96
PID 2440 wrote to memory of 3948	2440	ruvowe.exe	96
PID 2440 wrote to memory of 3948	2440	ruvowe.exe	96
PID 2440 wrote to memory of 2076	2440	ruvowe.exe	97
PID 2440 wrote to memory of 2076	2440	ruvowe.exe	97
PID 2440 wrote to memory of 2076	2440	ruvowe.exe	97

C:\Users\Admin\AppData\Local\Temp\c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe
"C:\Users\Admin\AppData\Local\Temp\c5cce1b5304d25ddb32e2e8df34aafcd610fcf50249f44c7e21bf85c8e986f32N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\kimoe.exe
  "C:\Users\Admin\AppData\Local\Temp\kimoe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\ruvowe.exe
    "C:\Users\Admin\AppData\Local\Temp\ruvowe.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\ronyu.exe
      "C:\Users\Admin\AppData\Local\Temp\ronyu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
177682ea142361843a8cc8eb3da20b27

SHA1
cdf6b3a333b6adca41383f7b90bc16d37bf40ab6

SHA256
5e57c2b5f6311f717ca2e2e3a3cdc3f9931ce64261125a7f4402b05d3f246644

SHA512
2f75999128e0070c329b74aab4ed0b1ff69dbd9d10580fb0025f3173925687aabeb6805ed3588eaeab09f0bc4155c85fec7d93dd0021ec872c474a60f9189474

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
3b879f98dfac596d31bfaade3bef4caa

SHA1
2cd37fb5fe463d6dcff0b303803bd53ea3a8b16e

SHA256
71e7a71eb102820496f8d557022918ea7ff5bdc8ce154648c2a0bdf4cec6b2b4

SHA512
14a5314e0362a90a01dbee850be7dab579884bdfff20c0ae2d9eea69ae4f9e85886d4657229e5caade697987edcb46908a4570f7aee23fef269ddacdfb757957

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
41734be52e7a9dfc608cde3a826cfecf

SHA1
b45dc8ec4f3c0e0ecb513a6191daddb58e753722

SHA256
e27466e090e2a9f413bd3e881db6d8fbc59bd9a91aaf2b49ff6244880cdf852f

SHA512
67b87dec6e3e7a52549f3a0670a3ed0508abf5ec458a38943916fac2388d6f35004c346c58f65c0af5c4163093141c7ff9078315207e58a10945e7f050910ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kimoe.exe

Filesize
6.5MB

MD5
ef34c53ce9210594bb18973ae6572a91

SHA1
ee501419efb8644d5df24bdc545e8ae0cad54655

SHA256
06b87494cc30ba232af547b316f7976f7f40ef38d366e7d80a7056b4aeb7dd7d

SHA512
ef74539ef169677505e7e7ae33517963649aeb0c06e1e2904d5e7fdf432d779bdb53ef8d6504b8887f8b7de11035bb62a7557553fb5f03a1b8a4b868c658f67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ronyu.exe

Filesize
459KB

MD5
0851e3e94117d5b8a43ba66212563c7d

SHA1
babd5517344a153957c955b7f2908f1136d3ee61

SHA256
ca404ef723215b987426289961f15e47748e0efedd5b82b58062890c95e949d2

SHA512
118f6a43fb33461389b26a78f874f42eecf2e9a15bc49e05ece87a842a0ee3b9d819fbc298f85bcd6cb3fd069afc5cd6503cf92b3a4b6e295a7c7e60d2ca03a8

Download Submit
memory/2320-8-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/2320-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2320-2-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2320-1-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2320-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2320-6-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/2320-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2320-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2320-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2320-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2320-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2320-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2320-3-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2440-51-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2440-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2440-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2440-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3948-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3948-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4852-31-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4852-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4852-33-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4852-30-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/4852-29-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4852-34-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4852-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4852-32-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/4852-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4852-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4852-28-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing