urelas | 54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84ea

General

Target

54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
Size

330KB
MD5

4f6be11ae13e3a9613b104c6dae342e0
SHA1

b7bb12bdbc37e6d802686bbac6cbd436d7839f9b
SHA256

54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84ea
SHA512

1623449d81a95a88ea263b8fc54118820d80ff1729c97c3c16bb32044947ca37d6263dcb5a800e39f7b3205cf18316da7d18efbdc6edf1d9ce3a737d7e524222
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVv:vHW138/iXWlK885rKlGSekcj66ciEv

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wejue.exe

Executes dropped EXE 2 IoCs

pid	Process
820	wejue.exe
2652	lixeg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wejue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lixeg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe
2652	lixeg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 820	4156	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	88
PID 4156 wrote to memory of 820	4156	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	88
PID 4156 wrote to memory of 820	4156	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	88
PID 4156 wrote to memory of 2368	4156	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	89
PID 4156 wrote to memory of 2368	4156	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	89
PID 4156 wrote to memory of 2368	4156	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	89
PID 820 wrote to memory of 2652	820	wejue.exe	102
PID 820 wrote to memory of 2652	820	wejue.exe	102
PID 820 wrote to memory of 2652	820	wejue.exe	102

C:\Users\Admin\AppData\Local\Temp\54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
"C:\Users\Admin\AppData\Local\Temp\54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\wejue.exe
  "C:\Users\Admin\AppData\Local\Temp\wejue.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\lixeg.exe
    "C:\Users\Admin\AppData\Local\Temp\lixeg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
05fb45d548ecb23a5bc83825c4768451

SHA1
c63d2075e4a40fcb431dd3acafc0b6d77284a2ff

SHA256
3a70d5b52330e2459ca84d5a7c3627ae1874ee43bcc4500032062bfc349b4ad1

SHA512
053388d4091a36b0e1c9a867a54c7f25dcd7d7ec021350aae2270eb3e7feca71a156b88acd78846a2bcdad34884c29df824c6156a28a00d1de0522b8709fdd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f2e14aeb76877882fee1df62f9b228bc

SHA1
f631f6bf6e74a414832b9e636c22e8e6ccae8ca8

SHA256
4de9316459916abe9b0759dcf002d0e99154db45081794bd33d2dbc9dc61bc2c

SHA512
4bea225ea1716b83cc71ecd90d082da0e5078591adebab6eb05ada84e1ae893b379439ebc4562910b1ace442167b282b486ee1568f477b9899d6b98c61b6c37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lixeg.exe

Filesize
172KB

MD5
54ffdb27abaf7a8fef97aeb3e5e17614

SHA1
1d0c52f1b857408b54f49c1e3c89d4d93f35ab5f

SHA256
2c13501e813f9f512af84926b3b7bab6310ccda0024183280ac2251af0648b02

SHA512
6dd7fb4240fca1ea2ce6635e05b84dc35d7ad1606621112526b7f6d7868f93f16a3343cbfa218f2554005405583ff5458bd2fc0a8eaf9985944d0ea1c7dc69e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wejue.exe

Filesize
330KB

MD5
1fc881546e1049f6a3bd2809d0d3f8ac

SHA1
c610ef7bc00e8b7229a39f2376a6937a4c8bdf63

SHA256
9bfc49649b126d8bb910b050a1f00b60ee1814946a62999d7bf9b2969889b0dd

SHA512
2e2ad5a8ab157c2795ccede03e72a46c667abe292798d71fb0c10cf39b76c10c2dd965fd499c1d9321321c2bc9dedae46a85af74eba090c6ce9c377fe130915e

Download Submit
memory/820-20-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/820-21-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/820-11-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/820-14-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/820-39-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2652-41-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/2652-40-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/2652-42-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/2652-46-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/2652-47-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/2652-48-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/4156-1-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4156-17-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/4156-0-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing