urelas | 92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7

General

Target

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
Size

324KB
MD5

af4a0a3252e92465547ee37416213f72
SHA1

4818e4540da9d7f10156192a6f0139ed8b1bdf0c
SHA256

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7
SHA512

5ca773ae23ebdbeafd2e5e926e919d0d52451d77b93fb48a690f565603e0fc3ca7a44276296e1140b90dada664bc2a1004d511447d27464d37a558bb069e863e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYv:vHW138/iXWlK885rKlGSekcj66cim

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exeynzyw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	ynzyw.exe

Executes dropped EXE 2 IoCs

Processes:

ynzyw.exexuewu.exe

pid process

1492 ynzyw.exe
2108 xuewu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1492	ynzyw.exe
2108	xuewu.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exeynzyw.execmd.exexuewu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynzyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuewu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xuewu.exe

pid	process
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe
2108	xuewu.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exeynzyw.exe

description	pid	process	target process
PID 4764 wrote to memory of 1492	4764	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	ynzyw.exe
PID 4764 wrote to memory of 1492	4764	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	ynzyw.exe
PID 4764 wrote to memory of 1492	4764	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	ynzyw.exe
PID 4764 wrote to memory of 4952	4764	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	cmd.exe
PID 4764 wrote to memory of 4952	4764	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	cmd.exe
PID 4764 wrote to memory of 4952	4764	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	cmd.exe
PID 1492 wrote to memory of 2108	1492	ynzyw.exe	xuewu.exe
PID 1492 wrote to memory of 2108	1492	ynzyw.exe	xuewu.exe
PID 1492 wrote to memory of 2108	1492	ynzyw.exe	xuewu.exe

C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
"C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\ynzyw.exe
"C:\Users\Admin\AppData\Local\Temp\ynzyw.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\xuewu.exe
"C:\Users\Admin\AppData\Local\Temp\xuewu.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7b1968032ea98a7b0730c758d2d8c25a

SHA1
dddb106ddc8444ea4386745aceb0cbb6e11a6002

SHA256
8b7781c5aaf6ce44d1d2b53539365aa2a185e89ac33189dd452651157ed40402

SHA512
bfac538425702d252a18f0bbe05a8c1a5187d66950f8ae9ffed40608488c88c660a697c68bd0e547240b2bacd2ac58f1d9bccc809fa260692ff94d019d4174d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9b0cbcdd1336fa1a5a58b286131f05ab

SHA1
aa988a5ae10f4a718a8279d333ebd30e77e291e0

SHA256
dbfc0450dd1c0563861f8d1f05231dcc6cd4d7726931e05198d90f7e398b90c6

SHA512
6087ef0a28a3a8068e2f19744ae9b9a2faafbcacd900dad1d19a01040cc81c378edf93f7a83ef8ad64b187d7c836af037d74c30701e97fba2c8f61cf9c501148

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuewu.exe

Filesize
172KB

MD5
af3aed7b406c629fd4475ef711459e75

SHA1
f5909aa25e75653f9c3d72e7ad7712180c3bf097

SHA256
9710a9b158e1c27ceb14756c2facf01f1961f7875274e92fc56e7cc3494d435b

SHA512
c3514328819572c4ddb6d88ac56a3473300c056efeda87d07df564487404bfce6ce5ec466b3948e1b39ff90ecea865af4d41a23983239c8039cf1c7b31b74634

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynzyw.exe

Filesize
324KB

MD5
182ba22c8700222a8ee9136aa118bfee

SHA1
5cdf21c6d535827a92b06df4e0cd94ca37652867

SHA256
e85a6dedd9341eef6141731cdd2869aa0062abedbe1c375f6ccd38a4cd9bbea5

SHA512
c76027d9d4a82fc310c005ab960e7ca6e68c8438b02a65a411e4bbbb91d6f9af33fd3c71e458de59f763d9209ca832e84d907e2dd7d20fad0a2c46f3b6f239b6

Download Submit
memory/1492-21-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1492-38-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/1492-14-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1492-13-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/1492-19-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/2108-45-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2108-39-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2108-43-0x0000000001420000-0x0000000001422000-memory.dmp

Filesize
8KB

Download
memory/2108-42-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2108-46-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2108-47-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2108-48-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2108-49-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/4764-16-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/4764-1-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4764-0-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads