urelas | 3bd79093695ed9b423140464a9425194967adc2461ee9e7ae0d8e54eafbb36d5

General

Target

9ffab46b35109fa933a6cfa9bf29f2d0N.exe
Size

442KB
MD5

9ffab46b35109fa933a6cfa9bf29f2d0
SHA1

db0dff43c5a01aed1b41a52d0c4d120f95c2997a
SHA256

3bd79093695ed9b423140464a9425194967adc2461ee9e7ae0d8e54eafbb36d5
SHA512

293fa82c84a11cca4738e3460caf5576352ff4eef8595f129fc7b5120ac4b22a01d97f4c7aa8266a93318fcd1f2111ab202379279fab1e267c5621fa7b09db74
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGM1G:rKf1PyKa2H3hOHOHz9JQ6zByG

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	9ffab46b35109fa933a6cfa9bf29f2d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	ilnyh.exe

Executes dropped EXE 2 IoCs

pid	Process
4908	ilnyh.exe
2288	butod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilnyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ffab46b35109fa933a6cfa9bf29f2d0N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe
2288	butod.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4908	3172	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	89
PID 3172 wrote to memory of 4908	3172	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	89
PID 3172 wrote to memory of 4908	3172	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	89
PID 3172 wrote to memory of 4492	3172	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	90
PID 3172 wrote to memory of 4492	3172	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	90
PID 3172 wrote to memory of 4492	3172	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	90
PID 4908 wrote to memory of 2288	4908	ilnyh.exe	99
PID 4908 wrote to memory of 2288	4908	ilnyh.exe	99
PID 4908 wrote to memory of 2288	4908	ilnyh.exe	99

C:\Users\Admin\AppData\Local\Temp\9ffab46b35109fa933a6cfa9bf29f2d0N.exe
"C:\Users\Admin\AppData\Local\Temp\9ffab46b35109fa933a6cfa9bf29f2d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\ilnyh.exe
  "C:\Users\Admin\AppData\Local\Temp\ilnyh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\butod.exe
    "C:\Users\Admin\AppData\Local\Temp\butod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
318893326a4fa22cd5d08e00af699f27

SHA1
9cb06c85a3b49a6e777271784ce9c5e37c903320

SHA256
b424291265c436ef95fa4a973b4e987ab42417712c64ee09fc74d4f7d35d0e17

SHA512
5dcb0a24e40b05a277cfc94f5c28202bee6819a7d5dfc9ed777c55ee70a777e46ebe113eed8d6ce50a518ff152d5f554cd5c54ef7a864a5908898919c76c4183

Download Submit
C:\Users\Admin\AppData\Local\Temp\butod.exe

Filesize
230KB

MD5
fe26f5067572fa1ccf064c7bdce37df2

SHA1
9aa05ff1ae06d121e5e0affa641c86d88e727003

SHA256
d5a928e581731615f02f1fd9bfce5818557dafff8de8e34f47ab2f4ef1511a23

SHA512
657d768a74fa77e184ccc02c50c43fbf15f0fc230800f01501d603382429cc8e1fc352005556540842de12ff7af03e764da0ea577430e7181ed113410f0d0c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2710dc02ec64081eab30813b6922c2cd

SHA1
bbecd8bbd58d7654db0d8b9f984ea9ce63e179ea

SHA256
adde0e40d265f8ebc80120f566cf4904e94355be2409b324e93cdd4f972b8498

SHA512
b7a0dc814cae66439ced73987a173f661d8351095a7b6b0cc13ff8f5fc3651fd0a28f144bc6af0859995475803b51ed4baa8b6f73eea394536673f464e7d24b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilnyh.exe

Filesize
442KB

MD5
d7719c6edc10aa00a4ef78e622a5c77b

SHA1
fa7b9c6acfae0d77d8ca232a0216bcbc7c3a2f91

SHA256
35317b99623a6713c8d5c2a5343edc7caff9dddf5680d4b2d0767cbd116ef45b

SHA512
c37eebce0045541ff771b6a1d19541ff35a0b5c4382bf29e2e2974a9623e6d3cc12402a9d82c8a8249e79375bc22ac7d45da26c865045d9091647c7713fdc6e6

Download Submit
memory/2288-26-0x0000000000870000-0x000000000090E000-memory.dmp

Filesize
632KB

Download
memory/2288-32-0x0000000000870000-0x000000000090E000-memory.dmp

Filesize
632KB

Download
memory/2288-30-0x0000000000870000-0x000000000090E000-memory.dmp

Filesize
632KB

Download
memory/2288-31-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2288-27-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3172-14-0x0000000000FC0000-0x000000000102E000-memory.dmp

Filesize
440KB

Download
memory/3172-0-0x0000000000FC0000-0x000000000102E000-memory.dmp

Filesize
440KB

Download
memory/4908-28-0x00000000009A0000-0x0000000000A0E000-memory.dmp

Filesize
440KB

Download
memory/4908-17-0x00000000009A0000-0x0000000000A0E000-memory.dmp

Filesize
440KB

Download
memory/4908-11-0x00000000009A0000-0x0000000000A0E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing