urelas | 8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f

General

Target

8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
Size

541KB
MD5

e848cc55bb658894a350d1c853a1567b
SHA1

d6e57e2c4ade50f89ee9a5b48268bfab2e9db001
SHA256

8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f
SHA512

32b495ec4b7674a5750e8c63b2fa5bd4af7ccef8c9d556f82c1ea2555b1c78719495e78064615e37fad9358d07c2ec6f031d2b751abb724deff26e2be6d82af9
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuz:92SLi70T7Mifju

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ikyhf.exe

Executes dropped EXE 2 IoCs

pid	Process
5016	ikyhf.exe
2456	lumak.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4444-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-6.dat	upx
behavioral2/memory/5016-12-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4444-14-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/5016-17-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/5016-25-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lumak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikyhf.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe
2456	lumak.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 5016	4444	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	83
PID 4444 wrote to memory of 5016	4444	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	83
PID 4444 wrote to memory of 5016	4444	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	83
PID 4444 wrote to memory of 4400	4444	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	84
PID 4444 wrote to memory of 4400	4444	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	84
PID 4444 wrote to memory of 4400	4444	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	84
PID 5016 wrote to memory of 2456	5016	ikyhf.exe	104
PID 5016 wrote to memory of 2456	5016	ikyhf.exe	104
PID 5016 wrote to memory of 2456	5016	ikyhf.exe	104

C:\Users\Admin\AppData\Local\Temp\8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
"C:\Users\Admin\AppData\Local\Temp\8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\ikyhf.exe
  "C:\Users\Admin\AppData\Local\Temp\ikyhf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\lumak.exe
    "C:\Users\Admin\AppData\Local\Temp\lumak.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
861670fb312741d9ad76a7cd2b118d15

SHA1
c43025026fc13dce81c028889695c5c06754bc40

SHA256
b15a683b135b842ef5af69a208694749e49eb14ef43cccd9528295e0657d2bbf

SHA512
f12f5a07cc26de42d069a433b4795d47ace58bad8d1ee5b7accac74361fb101e12334258326a0409a80b874ed9ffd0a03603762d8e259ebd0306a52fb410fd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2962caf57b2f1650d11e43c5e9c91146

SHA1
9ab796a8e4aac3c8106b737888625fead7536621

SHA256
3bc02d399dd1ba723a84aa3922219ed235000d118cec85761b2f94f9b55b927d

SHA512
991423744bb7218106f0f6347f3fd0915a2413d010930b6eecf9a2645ec0cfc78a10134126b97ed4558bf932f0eb3c8a515cd39c5f0baab91feb5ad48ea24468

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikyhf.exe

Filesize
541KB

MD5
473d673a0dec2074951077f598b95c2a

SHA1
8d1b93db070000ac4d84bded066ae152948eeac8

SHA256
700607d8318861785e9dad91ad4b4fb31b640ed9c4cba98e7b60f281a80569ad

SHA512
24dd0e686f8077684aa4189e147a473a918ea0a8407bc5dd37ddc4c22c0b4b5de87fe20ad768df953ca97b8e2ebe4d13ad15cdbb91953cb585c391f3644ae264

Download Submit
C:\Users\Admin\AppData\Local\Temp\lumak.exe

Filesize
230KB

MD5
7a4272eedfdfe136e63986738573c4eb

SHA1
2d1587985acb75c1a156e19008a57c3704115813

SHA256
ef18546a3fc663fb414939535c308e18c6599ac387776662c096e8c4692fa6ab

SHA512
d016e9290487a985594cd2184cdd1fe5c9480c06bcf4efc44466f0e7af29848e0d5c9b380ce8ffb70ccbfdd2e143304ce40d7810de3a0c2b062f64ce66bc1f9a

Download Submit
memory/2456-27-0x00000000005D0000-0x0000000000683000-memory.dmp

Filesize
716KB

Download
memory/2456-31-0x00000000005D0000-0x0000000000683000-memory.dmp

Filesize
716KB

Download
memory/2456-30-0x00000000005D0000-0x0000000000683000-memory.dmp

Filesize
716KB

Download
memory/2456-28-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4444-14-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4444-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5016-25-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5016-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5016-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing