urelas | 013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8b

General

Target

013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe
Size

541KB
MD5

8beafaec6342a842cce3bde70ec277e0
SHA1

bd083aaab79eb624373894eec75fdcd1fa410d29
SHA256

013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8b
SHA512

255a6acf442b0bac41d38b93e8cf15405b79917695fd86c81b1532e1c82374357d4627d8b14776344e4f768a85bfe9ace1df144cb3132e9330991d44c6352c1e
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxu5:92SLi70T7Mifj6

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sojim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe

Executes dropped EXE 2 IoCs

pid	Process
4556	sojim.exe
4612	muquh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4468-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-6.dat	upx
behavioral2/memory/4468-13-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4556-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4556-26-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sojim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muquh.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe
4612	muquh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4556	4468	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	82
PID 4468 wrote to memory of 4556	4468	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	82
PID 4468 wrote to memory of 4556	4468	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	82
PID 4468 wrote to memory of 3700	4468	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	83
PID 4468 wrote to memory of 3700	4468	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	83
PID 4468 wrote to memory of 3700	4468	013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe	83
PID 4556 wrote to memory of 4612	4556	sojim.exe	94
PID 4556 wrote to memory of 4612	4556	sojim.exe	94
PID 4556 wrote to memory of 4612	4556	sojim.exe	94

C:\Users\Admin\AppData\Local\Temp\013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe
"C:\Users\Admin\AppData\Local\Temp\013c1656e7dff3ed7809b7350513f67ed2ae2d01581c0c5b0b706e659e22cd8bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\sojim.exe
  "C:\Users\Admin\AppData\Local\Temp\sojim.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\muquh.exe
    "C:\Users\Admin\AppData\Local\Temp\muquh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f816dd28b30e5b4ade6799282d47099e

SHA1
9675653ff2ccecab48040e19a111fd0602223de6

SHA256
0f304fcb832ab3771e624b6ef2ea1608cfbb914a2f305e9461c1031fbe0ea1e5

SHA512
fef96e53a0406e36b35b966b44f47213bd48d2c759ce4d084169a2eea6068067b6c8c122ccfd354bee3532234a5f8dcdb3a125e1bbe0e52d4823e616ec1b56a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2d9ff1af369b57c791fa265b3c6166da

SHA1
c58d3cf68edf05366d06e20b7d3c3923791a626c

SHA256
91093b4361dfe52209e620cc8cf1f18775bf4710af31370711b277ad9f73b1e4

SHA512
5f842a0846fde9a0514c82dd09e69647c788b3afa0d52485c43389fd4fe3d226b641ce3a3b2249e98622f7e47c4350e335cdf403eb8f3e7b3bb89931b5bba931

Download Submit
C:\Users\Admin\AppData\Local\Temp\muquh.exe

Filesize
230KB

MD5
55ca770ccf84a72e9726a27867cf7829

SHA1
b145394f1c70561001dc499f87e8300b64082a39

SHA256
ea46b986e2ed71cd1874d2f951248298708f7501798d1c2d3e98342aab32edd7

SHA512
f78c8647b22de58931073c0da25788230f9b1bc257878d66e80673b6ec8c1993089abe032d1e1bc44e2da1988bbd75375cc92ba60ddc6f26a7928b303ca2cfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sojim.exe

Filesize
541KB

MD5
a4946c6a3267dbe092365a0b67af687f

SHA1
87a80c4e161736cdf17fb355cc93d2a40a04f4c8

SHA256
27a83b8a7f8fc487aab08bcdf9a8a2fb271086a34e1ea7a441c39f8b9aa47932

SHA512
464bb81375a583fc0d2dda59048b0871ada8c735e1bf4a051dbe69f6d8594dfb81d9b9a544dda16b317beb3a9e629ae55e52f2ac2e1e569f034655b843176aaf

Download Submit
memory/4468-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4468-13-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4556-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4556-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4612-25-0x0000000000480000-0x0000000000533000-memory.dmp

Filesize
716KB

Download
memory/4612-27-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/4612-29-0x0000000000480000-0x0000000000533000-memory.dmp

Filesize
716KB

Download
memory/4612-30-0x0000000000480000-0x0000000000533000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing