urelas | 7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192

General

Target

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
Size

332KB
MD5

13992396b49c6e96678bffe09a3b8cb0
SHA1

49a6b856d8be5ed9e7e5835545a640f559f5b114
SHA256

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192
SHA512

5f38620cf2f423eb73b2aa323ae82c7ca51903f9456f5a2994a5960db7ce5cbebe5c89de9c3f4285487ccb0b872b7724a42a4189da5240624418831458f61f30
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ciB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exeluorp.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	luorp.exe

Executes dropped EXE 2 IoCs

Processes:

luorp.exeywepg.exe

pid	Process
5092	luorp.exe
844	ywepg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exeluorp.execmd.exeywepg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luorp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywepg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

ywepg.exe

pid	Process
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe
844	ywepg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exeluorp.exe

description	pid	Process	procid_target
PID 632 wrote to memory of 5092	632	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	87
PID 632 wrote to memory of 5092	632	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	87
PID 632 wrote to memory of 5092	632	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	87
PID 632 wrote to memory of 2788	632	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	88
PID 632 wrote to memory of 2788	632	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	88
PID 632 wrote to memory of 2788	632	7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe	88
PID 5092 wrote to memory of 844	5092	luorp.exe	112
PID 5092 wrote to memory of 844	5092	luorp.exe	112
PID 5092 wrote to memory of 844	5092	luorp.exe	112

C:\Users\Admin\AppData\Local\Temp\7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe
"C:\Users\Admin\AppData\Local\Temp\7be73d7c24505fcd9e20d4b1cf83d24cc5036cc0fb25fc2dd15feffb4d05e192N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\luorp.exe
  "C:\Users\Admin\AppData\Local\Temp\luorp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\ywepg.exe
    "C:\Users\Admin\AppData\Local\Temp\ywepg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
72cf3be34e2def38ded4e5de41ad1c36

SHA1
b05f8a4e1443014527616972c605afad11326bea

SHA256
8d17bab488d97db4cd55ffb3b62deb5eaed6dca58dfa797ba2c43bd734dbd725

SHA512
e5fb259d814a1b4bcbbc833a27e439c5346b9aa084758be38097e3a9abbeb0676bb11ca912b398633a43e11b34ec802b2c930d8f9f5eed30d1305b4131706da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a5f70d6bbddbe8338f8ea4f5b81bdb0c

SHA1
09710ba8a32f305c357ceafd295274a901dd7c4b

SHA256
97d8f155c1ca22a635fa62caa0ebe42b838c35e48ff010c99ce8a4e83e9bdd91

SHA512
40da3a0edfa073e13e969c4a73ed6ac92992bb7c5e77dccce111b20ba9e6bcb16a36deb70424be2f33b23dfb1e1d1d3804c9cdba066364aef336cd3cd522985c

Download Submit
C:\Users\Admin\AppData\Local\Temp\luorp.exe

Filesize
332KB

MD5
f80404bd3bc14039b0bc6fe8c8307585

SHA1
0d9d70267aa6c3f8fef6f73d4d9cc120eb84bf5c

SHA256
19409ea4b361dad5839394efbedc47860f66a9883028d50eb49283e473db5eb5

SHA512
e6532eec56ffd475da0f9985f63ee27c1035fb9ea94bf8533aa052e5f879bb852cd95a35e0cc08584490e75325ce4590b2f77ab2310f4957858845f3361b681d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywepg.exe

Filesize
172KB

MD5
21a9a3e4c1fbcdc8c7b31916c41d822c

SHA1
ddad1b0ac7d517a1fcdcbfe27ade07231050abb8

SHA256
30d2ec130676e97d36ac409515ebc4f421a4fe6f5eb9e7ce76dd4f2ec3cd2a44

SHA512
ec64d3ed2ffabf78def1408df9856f2fa2796a50f8a4e520475c82dcd62142168b97a7381208760db4c23a15d311f978cc140aa226e67341bbb8025ed7e63697

Download Submit
memory/632-1-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/632-0-0x0000000000DD0000-0x0000000000E51000-memory.dmp

Filesize
516KB

Download
memory/632-17-0x0000000000DD0000-0x0000000000E51000-memory.dmp

Filesize
516KB

Download
memory/844-48-0x0000000000570000-0x0000000000609000-memory.dmp

Filesize
612KB

Download
memory/844-47-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/844-46-0x0000000000570000-0x0000000000609000-memory.dmp

Filesize
612KB

Download
memory/844-41-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/844-38-0x0000000000570000-0x0000000000609000-memory.dmp

Filesize
612KB

Download
memory/844-42-0x0000000000570000-0x0000000000609000-memory.dmp

Filesize
612KB

Download
memory/5092-20-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/5092-39-0x0000000000E70000-0x0000000000EF1000-memory.dmp

Filesize
516KB

Download
memory/5092-21-0x0000000000E70000-0x0000000000EF1000-memory.dmp

Filesize
516KB

Download
memory/5092-13-0x0000000000E70000-0x0000000000EF1000-memory.dmp

Filesize
516KB

Download
memory/5092-14-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads