urelas | 228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799

General

Target

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Size

331KB
MD5

b2b46805c6d9040e35b03cbcc2291570
SHA1

1f8c09742e89bc1920b0996382875069a2699ed7
SHA256

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799
SHA512

05b4587e1e080bafc8d6b1c5f373273e0601d9e73fcf20ad33c19721e1cee1b89b3ea57081e301adac512b9140a2ea3b088b4ccfa176ae627d0823e4b9413580
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVH:vHW138/iXWlK885rKlGSekcj66ciEH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	iwujy.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	iwujy.exe
4864	amxey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amxey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwujy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe
4864	amxey.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2064	1736	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	88
PID 1736 wrote to memory of 2064	1736	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	88
PID 1736 wrote to memory of 2064	1736	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	88
PID 1736 wrote to memory of 4912	1736	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	89
PID 1736 wrote to memory of 4912	1736	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	89
PID 1736 wrote to memory of 4912	1736	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	89
PID 2064 wrote to memory of 4864	2064	iwujy.exe	109
PID 2064 wrote to memory of 4864	2064	iwujy.exe	109
PID 2064 wrote to memory of 4864	2064	iwujy.exe	109

C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
"C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\iwujy.exe
  "C:\Users\Admin\AppData\Local\Temp\iwujy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\amxey.exe
    "C:\Users\Admin\AppData\Local\Temp\amxey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
321fde60b66c64c4701cb5b752f9d577

SHA1
217bdea5ccb5a394cf3da4f6147192343f9e6dbd

SHA256
4ebdee2fa534f770db37aca411d0ef97cd23540daf2f6fd39b4b73839571156a

SHA512
75036d7a7aac9e4a51335c3901ba5157701ba8f0b81264c050cecabb73185643cf6f71545d4683413b88fcd794d666805655251584c5aa89eac76cf6294c833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\amxey.exe

Filesize
172KB

MD5
57db1bbb9bbbdbc16595f7d252b95c99

SHA1
915c983f5187b1771206d424f4c0cc5bf7e73919

SHA256
41e7c7c6b8de24c052dcf1149d9d15a399a46e695742fd4b1b46f55b2207accb

SHA512
ba9a6940ffb28d936df93b9897c8a304b0b7c5e16ae532f54c8f18f8cb65504cebf196c1eb4c9bf123c8a03992f1b842005a73ceb6ca2b13e434aa961e5125b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
20be9356894025334d381d507df89fca

SHA1
b747244421b6be0f2fe8f99eab2f1b56d3e3acb6

SHA256
fc52d69823f6e5f429a012fe46000f05d8367978fe4d1394b7d80a8d4a5dde5e

SHA512
07f0723071417a5ccf08e9d289ca987e4d4bfe3beebbea1ae8dd07fb78bd35987d1b014e59dcc37fa6e04830361a50d289f087ace1216626994c93829c50579a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwujy.exe

Filesize
331KB

MD5
f5d2579ed7519d357530a6cbad99a5e7

SHA1
93aab3385113708a9388ace76c10f717333b2c9d

SHA256
95ec6619dad9291d10ebc28916679be6aa4c040109f2cb4ede16aecae39c7eec

SHA512
46dc0fa564da133f6b3fefa10d2cefd75e7c9f4974fb075c3cd2a6308063e158ace4e45878ff3e77451adc32cc717f05d2b5ce4443ad671c13b55c39020785f2

Download Submit
memory/1736-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1736-0-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/1736-17-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/2064-20-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/2064-14-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2064-13-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/2064-38-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/4864-40-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/4864-39-0x0000000001430000-0x0000000001432000-memory.dmp

Filesize
8KB

Download
memory/4864-41-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/4864-45-0x0000000001430000-0x0000000001432000-memory.dmp

Filesize
8KB

Download
memory/4864-46-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/4864-47-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing