urelas | 1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8

General

Target

1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe
Size

275KB
MD5

022503bdf26bed71c70ef8db537ccc20
SHA1

3dcd6d5ec1a69cbed45629fd57234b7c2a97e78a
SHA256

1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8
SHA512

bc50119dedec553ffa54943abeb855646c326e92bdd7918f8d9f7a11a60fecb8f00c5fe943539ec6de97271ac4c75a98986d77f396a8fa0ff86666290041839b
SSDEEP

6144:mscauqSZTCQgYKCoGS43WrQe/0mdxU7mysjo0nhb:zYq6gCop2KQU1TUNW7b

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	busie.exe

Executes dropped EXE 2 IoCs

pid	Process
3756	busie.exe
2460	ihkow.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000703-32.dat	upx
behavioral2/memory/2460-35-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/2460-40-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/2460-41-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/2460-42-0x0000000000400000-0x00000000004A7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	busie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihkow.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe
2460	ihkow.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 3756	1472	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe	82
PID 1472 wrote to memory of 3756	1472	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe	82
PID 1472 wrote to memory of 3756	1472	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe	82
PID 1472 wrote to memory of 4348	1472	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe	83
PID 1472 wrote to memory of 4348	1472	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe	83
PID 1472 wrote to memory of 4348	1472	1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe	83
PID 3756 wrote to memory of 2460	3756	busie.exe	94
PID 3756 wrote to memory of 2460	3756	busie.exe	94
PID 3756 wrote to memory of 2460	3756	busie.exe	94

C:\Users\Admin\AppData\Local\Temp\1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe
"C:\Users\Admin\AppData\Local\Temp\1f36f7bc147a1f30de72f525e7a2fbb75bf4e6543bf4c0a6679ca709179141a8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\busie.exe
  "C:\Users\Admin\AppData\Local\Temp\busie.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\ihkow.exe
    "C:\Users\Admin\AppData\Local\Temp\ihkow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ae6a1edd58b795da48fa9d85ae425a1c

SHA1
286063ba94ec7a821d3e9b32846e00f929fd14a5

SHA256
bc53a32214606f0a833fcc895ad911d91f1a007731d81597e31acc9403c6bc45

SHA512
24bf28abcdb0d13e4d09c75be7bc15a48ecc2910796042c5936782f6724f2fa84cf1d201a79c4fb6d8da183bb07176fbefcf84adb5f36f99eb2b3099a0d4fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\busie.exe

Filesize
275KB

MD5
26d6e7084e76edc95420cd15fb9c2d12

SHA1
3dbf7575742ff23ea0b71b4b1e932e0c451eeacc

SHA256
ff28e441c2870ffa4f1b41c76e75a84f76554a3cd5755d42efd41b9f3b63ddd6

SHA512
f98e4ca9f093d0a18ba70131cfb9dc3d738d0760852d60de02db47743ea2e6afb3592274bfb088a1fae51f219568e4f4cf4da4d58489e03558c9de690a6e6e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
770a1b8dcf00b1d618018b9fb74189ae

SHA1
8de56caa4c3f40e3b124b8d3884ae0d1f507ecaa

SHA256
57c32f223c0038bd7354192202d5e28e15a4534753ebdb904557ec728920515c

SHA512
96d63e04bd99b946e70bd86a06893699d54a72b5d1397cc5507b1179aa44c95c0664b905168316ddc3d22955f408fc58e2e3d9c5328a2f6f18b16c97f41fa45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihkow.exe

Filesize
205KB

MD5
e797f44f7ab5452d950927707ac820b7

SHA1
2b928d4c360962151fc248dee178ca728524f735

SHA256
2227080a96f5b18a2ecf37896c153688baed103c47d25042fbf9eb0e6d684e93

SHA512
8ee780cade7181c39c7e6fb01500cff71b812ff84cd1ed2c0048e813841a6392b2e04b252708f393a9e8db0989a6eb5065662aa5df4491b49c3b218aef61f2f6

Download Submit
memory/1472-15-0x0000000000AE0000-0x0000000000B80000-memory.dmp

Filesize
640KB

Download
memory/1472-0-0x0000000000AE0000-0x0000000000B80000-memory.dmp

Filesize
640KB

Download
memory/2460-40-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2460-42-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2460-35-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2460-41-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3756-19-0x00000000009D0000-0x0000000000A70000-memory.dmp

Filesize
640KB

Download
memory/3756-38-0x00000000009D0000-0x0000000000A70000-memory.dmp

Filesize
640KB

Download
memory/3756-10-0x00000000009D0000-0x0000000000A70000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing