urelas | 4b0620b163ac8c4eb124260f76eb836bf74c09ccd2277b9927e99ec912692e71

General

Target

086b06235d1e7cbb4563d11e5319b500N.exe
Size

327KB
MD5

086b06235d1e7cbb4563d11e5319b500
SHA1

d92e11e008cddba1211dda28b1935706c8cd4306
SHA256

4b0620b163ac8c4eb124260f76eb836bf74c09ccd2277b9927e99ec912692e71
SHA512

5b946d7e4c1a5b6ac4538b7d793c8777b5c2a72c5d4dabac4d5ebdfe9a32afe469fff678f2fde9407f1cb47fed50350bdc2dc115f98963c7dc6d31f60e66e67f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY1:vHW138/iXWlK885rKlGSekcj66cio

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	086b06235d1e7cbb4563d11e5319b500N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	afuhb.exe

Executes dropped EXE 2 IoCs

pid	Process
968	afuhb.exe
4396	ramyo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	086b06235d1e7cbb4563d11e5319b500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afuhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ramyo.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe
4396	ramyo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 968	4992	086b06235d1e7cbb4563d11e5319b500N.exe	90
PID 4992 wrote to memory of 968	4992	086b06235d1e7cbb4563d11e5319b500N.exe	90
PID 4992 wrote to memory of 968	4992	086b06235d1e7cbb4563d11e5319b500N.exe	90
PID 4992 wrote to memory of 3552	4992	086b06235d1e7cbb4563d11e5319b500N.exe	91
PID 4992 wrote to memory of 3552	4992	086b06235d1e7cbb4563d11e5319b500N.exe	91
PID 4992 wrote to memory of 3552	4992	086b06235d1e7cbb4563d11e5319b500N.exe	91
PID 968 wrote to memory of 4396	968	afuhb.exe	102
PID 968 wrote to memory of 4396	968	afuhb.exe	102
PID 968 wrote to memory of 4396	968	afuhb.exe	102

C:\Users\Admin\AppData\Local\Temp\086b06235d1e7cbb4563d11e5319b500N.exe
"C:\Users\Admin\AppData\Local\Temp\086b06235d1e7cbb4563d11e5319b500N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\afuhb.exe
  "C:\Users\Admin\AppData\Local\Temp\afuhb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\ramyo.exe
    "C:\Users\Admin\AppData\Local\Temp\ramyo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
f4a8962eb7aff836af99765a73bdcad0

SHA1
91be3ac7ba25e8ca7adf3a2111e9e52b454907aa

SHA256
c8b095311676605f71b343745ea222b4b30fc4727066ad0190c29497e826e9cd

SHA512
4e64dbb73eb111b2a764bfa4a0ba724e55567bbb73e6e9e9fe088aff602282a885284c29c3f3d7557cd47230c390796e856bb38950d4edc9c00639318b83c388

Download Submit
C:\Users\Admin\AppData\Local\Temp\afuhb.exe

Filesize
328KB

MD5
1d357ee263c4d6b0aa9d85b1f9b448ab

SHA1
ab3c9b4eb3b868bcb0900a65b695a5dea31617b4

SHA256
a612c52359a15244116f9dc7e3262ca7428356242ef287d2ee84f7dfeb946665

SHA512
6ec860562cd249f1c2f005857f862fd4812feebc114d735768166ae33f10340d309d466e2a321d11f483bbf09a0648fb760a02894ee59392901209d8485fb91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c2ecfb34df05e2218e0867d321a0e5af

SHA1
5bbb7eb67c6fae7d07db0cda2f6c0fa3da2463f7

SHA256
5ddd962d871a4674d16095f8e0d8cb424f3f157e96f34b41a55daf87f889ea11

SHA512
02f6e8d7cf878187c421ce66eef8ddc1d86774aac674901d93d3dc72898ad6dad8c7c090d3c7bd1a5a1333579fb8c0b265449a7b2bd44e042ba063379a3d63be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ramyo.exe

Filesize
172KB

MD5
18620091c8e52857a5f10ff043c2a64a

SHA1
acbcac426a5634f466bc99a4893025bbf774f8fa

SHA256
78de595653ccc5f38fdca4227dd5ba745a36f21ddcda083ce26210d08f8754c3

SHA512
c2ebd92a7dc8d1f0f7f7db50be7087d38a2f958c4b24bba5eb986928343a0034ccdbad41bf34b346ad2abb67c5b74c5a387b5c01c36aff5f030ae68d776915a5

Download Submit
memory/968-20-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/968-21-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/968-14-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/968-11-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/968-41-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/4396-39-0x0000000000A80000-0x0000000000A82000-memory.dmp

Filesize
8KB

Download
memory/4396-38-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/4396-42-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/4396-46-0x0000000000A80000-0x0000000000A82000-memory.dmp

Filesize
8KB

Download
memory/4396-47-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/4396-48-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/4992-1-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4992-17-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download
memory/4992-0-0x0000000000080000-0x0000000000101000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing