urelas | 7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8

General

Target

7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe
Size

332KB
MD5

f6635ac29f607998a4c7725fd5eede20
SHA1

cc6eeea7c353e6010700722b37c7a77eb649ccfb
SHA256

7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8
SHA512

07f5074208431a97fe3844bc21c10e2ccfeb3ca480f9ed4076592715c8d64c01773129a26545585dad671b54f84b57c2b67a6708cfad05dc83353c3ec191d9af
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVr:vHW138/iXWlK885rKlGSekcj66ciEr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	kiekj.exe

Executes dropped EXE 2 IoCs

pid	Process
3840	kiekj.exe
1260	utryd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiekj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utryd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe
1260	utryd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3840	4656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	89
PID 4656 wrote to memory of 3840	4656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	89
PID 4656 wrote to memory of 3840	4656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	89
PID 4656 wrote to memory of 1712	4656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	90
PID 4656 wrote to memory of 1712	4656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	90
PID 4656 wrote to memory of 1712	4656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	90
PID 3840 wrote to memory of 1260	3840	kiekj.exe	107
PID 3840 wrote to memory of 1260	3840	kiekj.exe	107
PID 3840 wrote to memory of 1260	3840	kiekj.exe	107

C:\Users\Admin\AppData\Local\Temp\7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe
"C:\Users\Admin\AppData\Local\Temp\7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\kiekj.exe
  "C:\Users\Admin\AppData\Local\Temp\kiekj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Users\Admin\AppData\Local\Temp\utryd.exe
    "C:\Users\Admin\AppData\Local\Temp\utryd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
20d0dde02cbbca0903749e4033bae8c5

SHA1
d19da8243bce36f392e29c56aa674b3f01b9fe2d

SHA256
c3c9fcbb0cf750025fb87e4492d8e7766d079096fed6bbbd1971ea202732a3e5

SHA512
0e2070fd38799a0b1d8524604599c22b28327712d18042dced09e41ee176c18bfa16152209ff73c7828149dd6865dffa0504f35c945dae44db6f2fc0b1be2619

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b7c084304f1e8135f674704e09576700

SHA1
2e119eef8542e2da57410b87259048e4ae2353c0

SHA256
69f51a546b0544cfa353a0753ed03b37b94488199a2abf6b12ca36fe41f15d25

SHA512
b031c83a4110cd8ed15a08122d3646236f1f62dde9fef7a0002b21e66615662ed5a074aab43e010d078aad6b090fe8188a0f30b1fd5794d41d8090c25319d7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiekj.exe

Filesize
332KB

MD5
91e1c1a1de5fa17d978e683e2c354143

SHA1
274926fec59be4c9fd01068059f865f835a05abb

SHA256
0a2b03b0b4fa309c28e81c450b2f774a7c1c9088e510a75c1288eb66a06c8587

SHA512
f735f5b4e5d885968077d0d619585104554431bb4dd746f14e6ed41fc5db46a105002c1f314e2b62e627f4e1d7ca395778a6bdf55581c0eee26f67abf231e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\utryd.exe

Filesize
172KB

MD5
613a7546ff5cbd92a7c8bd31a8746457

SHA1
cabfa3fd30656918b79869d7b908dc26eede1253

SHA256
9aeec7621e1269cae46255de6865abb39570025eb5a7eac21def2ee1d9f10286

SHA512
65602312f25c188b242406adeb5254ce285aefd005b176d32b1bc4f2131c1a2ec27280e4961f17d85de7bc4be6332d046d0450903066d31db54f835f56c8526c

Download Submit
memory/1260-37-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/1260-47-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/1260-45-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/1260-46-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/1260-39-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/1260-38-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/3840-13-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/3840-20-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/3840-43-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/3840-14-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4656-17-0x0000000000460000-0x00000000004E1000-memory.dmp

Filesize
516KB

Download
memory/4656-0-0x0000000000460000-0x00000000004E1000-memory.dmp

Filesize
516KB

Download
memory/4656-1-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing