urelas | 013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8b

General

Target

013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe
Size

541KB
MD5

8beafaec6342a842cce3bde70ec277e0
SHA1

bd083aaab79eb624373894eec75fdcd1fa410d29
SHA256

013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8b
SHA512

255a6acf442b0bac41d38b93e8cf15405b79917695fd86c81b1532e1c82374357d4627d8b14776344e4f768a85bfe9ace1df144cb3132e9330991d44c6352c1e
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxu5:92SLi70T7Mifj6

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	kemei.exe
1832	likiw.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe
2336	kemei.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x000b000000012259-4.dat	upx
behavioral1/memory/2888-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2336-19-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2336-25-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kemei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	likiw.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe
1832	likiw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2336	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	31
PID 2888 wrote to memory of 2336	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	31
PID 2888 wrote to memory of 2336	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	31
PID 2888 wrote to memory of 2336	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	31
PID 2888 wrote to memory of 1732	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	32
PID 2888 wrote to memory of 1732	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	32
PID 2888 wrote to memory of 1732	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	32
PID 2888 wrote to memory of 1732	2888	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	32
PID 2336 wrote to memory of 1832	2336	kemei.exe	35
PID 2336 wrote to memory of 1832	2336	kemei.exe	35
PID 2336 wrote to memory of 1832	2336	kemei.exe	35
PID 2336 wrote to memory of 1832	2336	kemei.exe	35

C:\Users\Admin\AppData\Local\Temp\013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe
"C:\Users\Admin\AppData\Local\Temp\013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\kemei.exe
  "C:\Users\Admin\AppData\Local\Temp\kemei.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\likiw.exe
    "C:\Users\Admin\AppData\Local\Temp\likiw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f816dd28b30e5b4ade6799282d47099e

SHA1
9675653ff2ccecab48040e19a111fd0602223de6

SHA256
0f304fcb832ab3771e624b6ef2ea1608cfbb914a2f305e9461c1031fbe0ea1e5

SHA512
fef96e53a0406e36b35b966b44f47213bd48d2c759ce4d084169a2eea6068067b6c8c122ccfd354bee3532234a5f8dcdb3a125e1bbe0e52d4823e616ec1b56a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
01ffcf4a99fdb172d756e3bee28727fa

SHA1
ff737290e32dc7ab42c4dcbe2f36a5620b82c13e

SHA256
ec94918472e9cf5b3897a50418180d3b119af747045e62264467e554b7d9d5a7

SHA512
7592c347ee40516f3bba7d505c8c36afb4ded41ca93e699dd5a8b5ea47d769058d1aac63b1dcd606c1e6518a0b02ca7c0b9d1420443dc2573effdbaafbad4772

Download Submit
\Users\Admin\AppData\Local\Temp\kemei.exe

Filesize
541KB

MD5
bb40f0dd842ffc129c25a7fa3e18cb4b

SHA1
2b1b15a9e48b63d9ed01a6ba4fd6dd6000cd8fcb

SHA256
9df600c6c1340c48c125321d3533f8d72d99dff63a3271167181a9eaee7a3ee8

SHA512
82b912537e39d79950f120ba2cfc0c0be71fd388e015b67dae68f64c98e7e8dc3e07a00aa82d2b153d8152969690cc8656a32b0fc95a0c945dcfb2341093d53c

Download Submit
\Users\Admin\AppData\Local\Temp\likiw.exe

Filesize
230KB

MD5
a7c1a65f03c1e58bf36d47adc78de9df

SHA1
784b46c19263a1669146d66aec3163e6993301a9

SHA256
a667449395f9e77436f05f8bdae97fb4416cad8518965a68cdcb839610d655ef

SHA512
6657c6574b27cdb864ccd55ab6674f9f3008fdf8899c4f931d372da7de2dc6013abfd48d675e8f460ce2a062511b7fc1dc24e62c06c9a6d70a39d1b9b82370d7

Download Submit
memory/1832-27-0x00000000008C0000-0x0000000000973000-memory.dmp

Filesize
716KB

Download
memory/1832-29-0x00000000008C0000-0x0000000000973000-memory.dmp

Filesize
716KB

Download
memory/1832-30-0x00000000008C0000-0x0000000000973000-memory.dmp

Filesize
716KB

Download
memory/2336-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2336-25-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2888-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2888-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing