urelas | a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8

General

Target

a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
Size

331KB
MD5

0b13ddcce57bf9df654cb55a64316040
SHA1

84e0c65017a393700e2fb8a987b556ea2bcccaaa
SHA256

a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8
SHA512

7f72e5cf8ec2c0ef3babbf4b666c426843f76196d98efe6b09412e7378c089c8fd5fbaa71573004bad018a255d62918fd38f184ac77f5198a8a3e43a2f8782e9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	byivd.exe

Executes dropped EXE 2 IoCs

pid	Process
5116	byivd.exe
3560	evrih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byivd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evrih.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe
3560	evrih.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 5116	1748	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	90
PID 1748 wrote to memory of 5116	1748	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	90
PID 1748 wrote to memory of 5116	1748	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	90
PID 1748 wrote to memory of 3588	1748	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	91
PID 1748 wrote to memory of 3588	1748	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	91
PID 1748 wrote to memory of 3588	1748	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	91
PID 5116 wrote to memory of 3560	5116	byivd.exe	110
PID 5116 wrote to memory of 3560	5116	byivd.exe	110
PID 5116 wrote to memory of 3560	5116	byivd.exe	110

C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
"C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\byivd.exe
  "C:\Users\Admin\AppData\Local\Temp\byivd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\evrih.exe
    "C:\Users\Admin\AppData\Local\Temp\evrih.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
60e4d1fa0a5f55d23210decdc0f162a5

SHA1
a630e36890646fee7f3b15f5dacfd55c23c5f9d8

SHA256
e44239c7f1b3e778b0f68db156f50ce12ec49d2577f64e5074adb99cea3e2a92

SHA512
374c3ede5b309fbfbc54440d3b8b0d4d2099eaedab19aeb1789990d4584a01eb7d30adb955aedaa0ed52fe4e213884cc290a3dcf79fc234771994a1086179659

Download Submit
C:\Users\Admin\AppData\Local\Temp\byivd.exe

Filesize
331KB

MD5
9ecefeb034bc3568e4c50459c6e05bcc

SHA1
4fa1ba8998c51932806f3a5173784e01f1b0ac8b

SHA256
ad2267960294de11ee78895dbeb628b98e082782d2fbfa3e07512d937dff7674

SHA512
7f8ce14ddbcb3f1067b26754dc14a00888ad59116ff3576ff3587459d3688abf5d95438127d775b0851b9922807e589d5d1f7a1d6528ef0f05fa0263951b48cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\evrih.exe

Filesize
172KB

MD5
81a7c026994c63ab35efdc218a5fd264

SHA1
98bb97667ad7a2039d6e0200b6f9224412064d08

SHA256
90d2f3ecea439c85d58ccc02aebc68d7f4e9882e8ce9e16bd92b12707e2e4786

SHA512
f179bc6fc876b466fbae82e87b1547d7661351bebeb876b90b18d4bf1ccab707452137819d722e00e588e1052b9d92504fe819efd9804d3bf75d68d729eeafbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
08ea5ad34fcbbbd9ce6e06411832398a

SHA1
4edc6daa19275652bbfab04257eb434e86792deb

SHA256
c94f988fa9fb7366479ff973cf6a851106cb1c84441ff75311d467fb9bd0fa2c

SHA512
2f97a44bb8cbc66bcf2dc65307a5ea865730da66fa0182355f291e774ea21627ad89417ea9189b8ffc4695efb4d7ff4f3ff8a2377551a82090ae8daea5d1d697

Download Submit
memory/1748-1-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1748-0-0x0000000000F40000-0x0000000000FC1000-memory.dmp

Filesize
516KB

Download
memory/1748-17-0x0000000000F40000-0x0000000000FC1000-memory.dmp

Filesize
516KB

Download
memory/3560-41-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/3560-47-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/3560-46-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/3560-38-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/3560-42-0x0000000000CD0000-0x0000000000CD2000-memory.dmp

Filesize
8KB

Download
memory/5116-11-0x0000000000530000-0x00000000005B1000-memory.dmp

Filesize
516KB

Download
memory/5116-21-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/5116-44-0x0000000000530000-0x00000000005B1000-memory.dmp

Filesize
516KB

Download
memory/5116-20-0x0000000000530000-0x00000000005B1000-memory.dmp

Filesize
516KB

Download
memory/5116-14-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing