urelas | d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398

General

Target

d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe
Size

321KB
MD5

5b93b43011d2c6d384d3b24c1ccd97ad
SHA1

1fff7b1bb423ca2b054f2407951b52b48ba7c981
SHA256

d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398
SHA512

ca360ad1ab429e80f8541c9dc77754f2559b282421d7bb6780bede3ab34abeae22ce7c921413a3864c6d016e010dce283e576b048335a2b51efd2276501aef96
SSDEEP

6144:PU0USPuHKKAsgBZg178Z+Snk6Fpwlw8RmuZSz8VdPbMK95BL7jGjFUHpJ+MBh:2SPXSzJSk6FpwlzmupVdjx5B/mFYJ+M

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ijmud.exed8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ijmud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe

Executes dropped EXE 2 IoCs

Processes:

ijmud.exeomnal.exe

pid process

4616 ijmud.exe
2548 omnal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4616	ijmud.exe
2548	omnal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

omnal.exe

pid	process
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe
2548	omnal.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exeijmud.exe

description	pid	process	target process
PID 2168 wrote to memory of 4616	2168	d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe	ijmud.exe
PID 2168 wrote to memory of 4616	2168	d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe	ijmud.exe
PID 2168 wrote to memory of 4616	2168	d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe	ijmud.exe
PID 2168 wrote to memory of 2672	2168	d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe	cmd.exe
PID 2168 wrote to memory of 2672	2168	d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe	cmd.exe
PID 2168 wrote to memory of 2672	2168	d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe	cmd.exe
PID 4616 wrote to memory of 2548	4616	ijmud.exe	omnal.exe
PID 4616 wrote to memory of 2548	4616	ijmud.exe	omnal.exe
PID 4616 wrote to memory of 2548	4616	ijmud.exe	omnal.exe

C:\Users\Admin\AppData\Local\Temp\d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe
"C:\Users\Admin\AppData\Local\Temp\d8503f293df513b7448ae5c9728f1ce5ae610892a6f70390ec7c2e05d52bd398.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\ijmud.exe
"C:\Users\Admin\AppData\Local\Temp\ijmud.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\omnal.exe
"C:\Users\Admin\AppData\Local\Temp\omnal.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
3857b83b0b3ac4682b9ef60d09230f03

SHA1
8059beadbfc82034e75e92d124777213550a01c8

SHA256
ab7487e35185fe6ab2ae3e3eb12ff42045285aa6b1700fa864464fdc6be23deb

SHA512
f403257b5e7869641b0110f646d6ae397f92866e4e5730422cd94b0ea7c6ecb578a2c7e1dd9af1fe41273fbba68af381290ffa199552c30122a66d2786df6f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
180b28347599127b007a166cab0b964c

SHA1
bdb4613e00c0651d829fabc28b9bdaae7d9ffe2c

SHA256
d357119d2242a243864a3f89d5b1034ef99e51a9ff23cf2e16cf711af39f4c67

SHA512
ec4febabaae9afc74632728e3945607e4dbfdbc9e44570b254ff990d720bef5d149051035c3246df4a3222bdc3d938c895d973dba920a319bd8c6f85c8a6e0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijmud.exe
Filesize
321KB

MD5
accdde0b3277d95865d870b98f0f202f

SHA1
c3d607458aef0e6005fc7255e7c198933eac2cac

SHA256
e6310d4814898bb6844d6adbfd453f807da19ddaa7e57c3cea4812f7830e7f30

SHA512
d5ca47bda4790a36ac2c2a8ced1701b9521a427bf5fcfd1e06ef9c9d237092242e171d405695246a6e02910ed170c63300af9fd0e1b94fdb32ee642af8480a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnal.exe
Filesize
186KB

MD5
d994ecfa0ef2ccbdc9e03467a22f397b

SHA1
a7c94775f6f62543c91f848445598753a89a6ca1

SHA256
8d1a85ac8d695716a67c0010e628ecb498a6a9d1ceaf1ba18794e49cbbbc0377

SHA512
4388250eb183464ee4d30a42c355dcfca93a606646de58e5a1424c952a60c99ad3101516fb00a542fec70cc01a1ebcb069cccc79267e50b84b450888d6aebc21

Download Submit
memory/2168-0-0x00000000004F0000-0x0000000000574000-memory.dmp

Filesize
528KB

Download
memory/2168-25-0x00000000004F0000-0x0000000000574000-memory.dmp

Filesize
528KB

Download
memory/2168-2-0x00000000004F0000-0x0000000000574000-memory.dmp

Filesize
528KB

Download
memory/2168-1-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2548-58-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2548-57-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2548-56-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2548-55-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2548-48-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2548-54-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2548-52-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2548-51-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4616-19-0x0000000000780000-0x0000000000804000-memory.dmp

Filesize
528KB

Download
memory/4616-46-0x0000000000780000-0x0000000000804000-memory.dmp

Filesize
528KB

Download
memory/4616-30-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4616-28-0x0000000000780000-0x0000000000804000-memory.dmp

Filesize
528KB

Download
memory/4616-16-0x0000000000780000-0x0000000000804000-memory.dmp

Filesize
528KB

Download
memory/4616-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads