urelas | a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0

General

Target

a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe
Size

502KB
MD5

9b0762cfc36bfab032fdf7ebe971e480
SHA1

a39b8e59f5059c6c04b7b2b9cc1927661fc0a121
SHA256

a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0
SHA512

bbc16743f617315be934094b2d1854a11e92f55f7294c7d361d5f41fdfdadf015c64f60e5df73fc81a90e9ec5d0e3294532290f0633317a853c57d43ebb6edc0
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKoC:3MUv2LAv9AQ1p4dKP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	nuuzx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3732	nuuzx.exe
4820	tipyr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tipyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuuzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe
4820	tipyr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 3732	1040	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	90
PID 1040 wrote to memory of 3732	1040	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	90
PID 1040 wrote to memory of 3732	1040	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	90
PID 1040 wrote to memory of 4176	1040	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	91
PID 1040 wrote to memory of 4176	1040	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	91
PID 1040 wrote to memory of 4176	1040	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	91
PID 3732 wrote to memory of 4820	3732	nuuzx.exe	102
PID 3732 wrote to memory of 4820	3732	nuuzx.exe	102
PID 3732 wrote to memory of 4820	3732	nuuzx.exe	102

C:\Users\Admin\AppData\Local\Temp\a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe
"C:\Users\Admin\AppData\Local\Temp\a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\nuuzx.exe
  "C:\Users\Admin\AppData\Local\Temp\nuuzx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\tipyr.exe
    "C:\Users\Admin\AppData\Local\Temp\tipyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2d9cefcc6021fab615327aead9ab32a5

SHA1
4d5a1074d47da995d42065a49c66cc7d238e5a59

SHA256
e3ff6398f0f769e9bb58672c6a5e0157344157be802ec7d240672e40b74f5af1

SHA512
0eaf38f58ce0ea0d0ec29c7089fa3de87a8f203df0fd32ab376192deac226cd704d6d570b9f31c95a28720594c0148133f8ca75fd197dc4845c5c2f74867a7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
29351c017c3fb988fda42d94b6260a33

SHA1
b7cd2e78f97396205d4fe1ff903e533aad0a9e7b

SHA256
73193f501f346051a38c392a31696e4ed85f38d8f81a29bf4af1a56f8b67f443

SHA512
c683a36623ed403d66bec07dfee7526bb10156cd0a814e1d0fbf976ef76c4de315cea382c9b40f4489b1ea4f7a649e8624a733d01dea268fdc27d61848e99f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuuzx.exe

Filesize
502KB

MD5
71fbdd3f5c8ce2a4e1b99f3fdc01f76c

SHA1
b4131d7dbd1428b76517f6862079c1dc3d8bd85e

SHA256
1d28894d662c5b79c0e730a322f4e44715ed86849f8eb5f566e59bd1777d23c4

SHA512
d09ab504ed16702087e2f9405f8286e950f73f51072b34aa2671eb4f5757d859367eb608a5b47d8482d08cbc0312265114cd122ba3e97adf705b0348c83da4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tipyr.exe

Filesize
172KB

MD5
a77fa8bb8b157a843e898a58a3b69128

SHA1
f1308989b9fdf933e1c191f903ed3ced3ffa50d8

SHA256
903b7129357eee5a4eefbd799fc478c51bf1c53433579630dbab204f5be16f9c

SHA512
2153f5c5f532f49070027e3d3c8c56691c0ff472e7c3f078c58613a7a022c17c51886f9c42ce3c19242dc824315213b870f864f3aa23e7966794a79c3a601803

Download Submit
memory/1040-0-0x0000000000AB0000-0x0000000000B31000-memory.dmp

Filesize
516KB

Download
memory/1040-14-0x0000000000AB0000-0x0000000000B31000-memory.dmp

Filesize
516KB

Download
memory/3732-17-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/3732-10-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/3732-27-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/4820-25-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/4820-28-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/4820-31-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/4820-33-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/4820-34-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing