urelas | 479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7c

General

Target

479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe
Size

326KB
MD5

129390665d14fd3e3d11af199949d940
SHA1

cddaddaaefa6fc59011ea5bd4b5088c89059bd50
SHA256

479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7c
SHA512

195dd17d7755a02a0614362f82b4c73fba38260ec145bd11b911d940944c6fef6502c84a6108876fdd5e8b87029d593fcca4a4d66ff32b0c7cf4b7ce0212d493
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOh:vHW138/iXWlK885rKlGSekcj66ciO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	vipuf.exe

Executes dropped EXE 2 IoCs

pid	Process
1116	vipuf.exe
1452	xymij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vipuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xymij.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe
1452	xymij.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 1116	3916	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe	82
PID 3916 wrote to memory of 1116	3916	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe	82
PID 3916 wrote to memory of 1116	3916	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe	82
PID 3916 wrote to memory of 924	3916	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe	83
PID 3916 wrote to memory of 924	3916	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe	83
PID 3916 wrote to memory of 924	3916	479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe	83
PID 1116 wrote to memory of 1452	1116	vipuf.exe	94
PID 1116 wrote to memory of 1452	1116	vipuf.exe	94
PID 1116 wrote to memory of 1452	1116	vipuf.exe	94

C:\Users\Admin\AppData\Local\Temp\479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe
"C:\Users\Admin\AppData\Local\Temp\479d193465d6df9bb0f06094ac1c36da22a5d0e4cb76c227016892a35a426c7cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\vipuf.exe
  "C:\Users\Admin\AppData\Local\Temp\vipuf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\xymij.exe
    "C:\Users\Admin\AppData\Local\Temp\xymij.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
35a9cfcd95887eb18fd3473459e2f031

SHA1
acda5d61743d854de1fd96d907df70e34544df9d

SHA256
a4090c4e1c13c879430394b60c656143db2c0b77a36a534ade54b34f2d049394

SHA512
6180f7b96c80469c38c5532f1be7f0c49fd54c348c65c5851b66fc97973f5680bd8ead52aba66398152c4f14c9b189edb14f41559e12d706ff00bab391ddfe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
88e8378ebf7cbb1f9e560848ef2fb649

SHA1
d5ae42f35ff0d58beb1e330f9bbf3b4e347b1c56

SHA256
90be090031d5ad6af452c9bb186250758071453bf78bcc908b52969f8a5753e1

SHA512
4b0ee9f84accab43090acb590653e9180af61dd64c4ea33c4ad089d8d0affc16f3c2f374733463c3706497eb433c25779e15bb905ca760c77cb287cbf600fb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vipuf.exe

Filesize
326KB

MD5
2544f58d618684097513ed64fc41f279

SHA1
f9cbf9278ddc2059be5409ebaae6b6de3b65b2f0

SHA256
d37c0da5a2cf701d7891c162539c76a7d08ec5dba11925bf5161c740202ae51c

SHA512
1b16aa8f55a959be8a4b346ece5f74e1eff2624912af87934bcd2a852daa02c1f2c85b4520bb74623d046822510a176b721341530773da5743caa1ec44f249a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xymij.exe

Filesize
172KB

MD5
10579d963a81e89f7fe140e9e1d721b9

SHA1
4137b6389146c16054ba6a99deb175ca6cd969a0

SHA256
e17dd77f0122e06c2027cfcc38ebe65fed08c2f56b115758b0140ffb8552e483

SHA512
c54692e5bec46c3fe830a6fa1013e1ab0f10c57cf8757114930c3e454b7820454494964e4b27d08705eeb2f9f369b237d3b99b8af2aecc831b613bf5a45b069a

Download Submit
memory/1116-19-0x0000000000360000-0x00000000003E1000-memory.dmp

Filesize
516KB

Download
memory/1116-14-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1116-11-0x0000000000360000-0x00000000003E1000-memory.dmp

Filesize
516KB

Download
memory/1116-20-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1116-43-0x0000000000360000-0x00000000003E1000-memory.dmp

Filesize
516KB

Download
memory/1452-37-0x0000000000940000-0x00000000009D9000-memory.dmp

Filesize
612KB

Download
memory/1452-41-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1452-38-0x0000000000940000-0x00000000009D9000-memory.dmp

Filesize
612KB

Download
memory/1452-45-0x0000000000940000-0x00000000009D9000-memory.dmp

Filesize
612KB

Download
memory/1452-46-0x0000000000940000-0x00000000009D9000-memory.dmp

Filesize
612KB

Download
memory/3916-16-0x00000000007E0000-0x0000000000861000-memory.dmp

Filesize
516KB

Download
memory/3916-0-0x00000000007E0000-0x0000000000861000-memory.dmp

Filesize
516KB

Download
memory/3916-1-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing