urelas | 713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46

General

Target

713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
Size

6.5MB
MD5

dfd636e10b468d1ff62cba3cb4234850
SHA1

20ae9ae3d446e1ce63da8893944ab7dbac6d9083
SHA256

713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46
SHA512

6cc4e0273e52b3904db99a689f47dce10aea52d4f7295c31cfa2ab0d58acdaf1c2a1d253845dc0cf80c90c3146b46e6f70ababbaacbc766e64c2e8b03efd6caf
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS2:i0LrA2kHKQHNk3og9unipQyOaO2

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	zexad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cykusy.exe

Executes dropped EXE 3 IoCs

pid	Process
2120	zexad.exe
3308	cykusy.exe
2120	ajivu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000709-65.dat	upx
behavioral2/memory/2120-72-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2120-76-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zexad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cykusy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajivu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
2120	zexad.exe
2120	zexad.exe
3308	cykusy.exe
3308	cykusy.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe
2120	ajivu.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2120	1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	83
PID 1176 wrote to memory of 2120	1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	83
PID 1176 wrote to memory of 2120	1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	83
PID 1176 wrote to memory of 4628	1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	84
PID 1176 wrote to memory of 4628	1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	84
PID 1176 wrote to memory of 4628	1176	713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe	84
PID 2120 wrote to memory of 3308	2120	zexad.exe	86
PID 2120 wrote to memory of 3308	2120	zexad.exe	86
PID 2120 wrote to memory of 3308	2120	zexad.exe	86
PID 3308 wrote to memory of 2120	3308	cykusy.exe	103
PID 3308 wrote to memory of 2120	3308	cykusy.exe	103
PID 3308 wrote to memory of 2120	3308	cykusy.exe	103
PID 3308 wrote to memory of 4504	3308	cykusy.exe	104
PID 3308 wrote to memory of 4504	3308	cykusy.exe	104
PID 3308 wrote to memory of 4504	3308	cykusy.exe	104

C:\Users\Admin\AppData\Local\Temp\713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe
"C:\Users\Admin\AppData\Local\Temp\713e3a871e4fb2e0b256004a522de592851b3c2772319eaff9370164aa1dea46N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\zexad.exe
  "C:\Users\Admin\AppData\Local\Temp\zexad.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\cykusy.exe
    "C:\Users\Admin\AppData\Local\Temp\cykusy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\ajivu.exe
      "C:\Users\Admin\AppData\Local\Temp\ajivu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6063dc562a973b1241a8f76f06015bb3

SHA1
fdebc0953103a502a41903c4e480ff091ac07e4b

SHA256
1148352179ff22180c8a33724850d58453871128fe656882c9bf68c12d540703

SHA512
e6a6dc021325a71769810745ce24e7aa2127011a08e9f29f5032de2ef93beede43964b18633d255e4d94df6e2c20e10003201fd3f0e91f5e43bbde6ab63c4436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
cec8309e59dfa98b3d5cfd9098dbfe24

SHA1
aa49267906d4e30088829121ee5cc46b39a407d1

SHA256
d7e89a318eac757d6a94c73d714e763ea35934a575c9a0fdc197cf99c44f26d2

SHA512
7d6082e57f7845291ab3ec91ee093d2fde476bb71b12608918bdaf1624e9cb506339bb6b28b835ad141a2069eafa42fd22159e42d11c937d0df4d15cc1671b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajivu.exe

Filesize
459KB

MD5
1b84135d0b61bca181bb7d332e05527d

SHA1
404f839fa1c0a46cbfc444cc07b7c63a5525a5d0

SHA256
4245c8480ac2892c3822e6a2ae5b46aabb1254ff6d668fa7d8098c2f21b6b09d

SHA512
7663c6820a69736ad17f02c2356d68e02a08febfd2fd9d0c61bd8199fc031e97fbfc292a8b4d35e44b73b118ec027e3921d836665cfc1328c97709b6855b4ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ed2003924b38ab92d6a9dd282a74b972

SHA1
722d796f77390ebc3d3fd48df39a6516e41f3240

SHA256
8dbe4c581c49c092dc49bf4917fa787773413164e882da3f655d938084be5675

SHA512
376381d6b19ec412f496cfc99e5d60c825bb231c4026d268faf37c9e451b16be4c5c0da0ce81488dbf9e3e4027aa3ca68406eb11efdc95a9aad96d093a20af98

Download Submit
C:\Users\Admin\AppData\Local\Temp\zexad.exe

Filesize
6.5MB

MD5
2a731725d251d4b94113cc88696b9c04

SHA1
04b51a15ab84e2cd16ba1d83696bd5e448fd055a

SHA256
646539d5dff20b20f949327b9f6ee82dcf3fc58da2aec6d037fb00b7ba249d69

SHA512
2926d4ed632d720f686a262c2e3ef33cdadbad9d16b4511bf0a27e14bb3dcfcc624ade8591cf67cf6ea8da626c2c09d4bfff9883dcdca14a19e9cff6d917c276

Download Submit
memory/1176-3-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1176-5-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/1176-2-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1176-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1176-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1176-6-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1176-7-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1176-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1176-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1176-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1176-4-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1176-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1176-8-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2120-30-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2120-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2120-33-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2120-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2120-76-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2120-29-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2120-28-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2120-27-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2120-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2120-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2120-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2120-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3308-54-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3308-52-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/3308-51-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/3308-50-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/3308-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3308-53-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3308-55-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3308-73-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3308-56-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3308-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3308-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing