urelas | c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009e

General

Target

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
Size

332KB
MD5

3735c64c1f391aa92b9d9575339510b0
SHA1

dd49e6ed58abb9e09cccc264f8a26d62ec41d901
SHA256

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009e
SHA512

ce4a0dc11e5fb7b9a0324b32d7f9501afd1d16c39fda1a5e8c7fd423ff0e7ebdfd8b313670ebfc92c0f7903f4d23e07bf4d7b2c92bc7a143dd68825d758dd1ff
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVr:vHW138/iXWlK885rKlGSekcj66ciEr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exefawio.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fawio.exe

Executes dropped EXE 2 IoCs

Processes:

fawio.exepypex.exe

pid	Process
4648	fawio.exe
3428	pypex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exefawio.execmd.exepypex.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fawio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pypex.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

pypex.exe

pid	Process
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe
3428	pypex.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exefawio.exe

description	pid	Process	procid_target
PID 4396 wrote to memory of 4648	4396	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	89
PID 4396 wrote to memory of 4648	4396	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	89
PID 4396 wrote to memory of 4648	4396	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	89
PID 4396 wrote to memory of 2476	4396	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	90
PID 4396 wrote to memory of 2476	4396	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	90
PID 4396 wrote to memory of 2476	4396	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	90
PID 4648 wrote to memory of 3428	4648	fawio.exe	103
PID 4648 wrote to memory of 3428	4648	fawio.exe	103
PID 4648 wrote to memory of 3428	4648	fawio.exe	103

C:\Users\Admin\AppData\Local\Temp\c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
"C:\Users\Admin\AppData\Local\Temp\c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\fawio.exe
  "C:\Users\Admin\AppData\Local\Temp\fawio.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\pypex.exe
    "C:\Users\Admin\AppData\Local\Temp\pypex.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f5223b7c0aee190f7ced0dac4721abb1

SHA1
f1af6f4ec51f92ef6ccb99218ac23fc90430d1a1

SHA256
d82074d4f1961799821738b774a7ffe97b2b44de26e2ee9837c87416afe0dc54

SHA512
8373880892aefd5835decc1dae239129827e420c45cd7d5d6c7f5ce66999a3f211b218b94d3c0b5cfb4c57ef7bb395560a1669bf2c40a75ecd76f37a70872264

Download Submit
C:\Users\Admin\AppData\Local\Temp\fawio.exe

Filesize
332KB

MD5
1c91d0bfa70d11fb339283ee18e09645

SHA1
bb4b88ab5c3ed95919e5e9fd61655be77f52f911

SHA256
1e14764a3323b866ff4bf3dc29a69aa8d3e92dc202ff54f76c485d9f64bcb0a9

SHA512
338512478f6b54f170917314e230a3d618c05dd822cb555975f4527d1191ca1ff3fbc1a14de6006d01f1587cc37fefb89e88a11dfb8c94ec4e7443a99f1ba9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ccc3e84030f3006412d7360c1823c22c

SHA1
2bad1267cd9a0f552ae24171b94a842cb84baed0

SHA256
67a7fafe116b68f110a7ba4df8e6cdb89f8e2ca19abf3a31c5cf851040ce612a

SHA512
601e604b6595e2578a1004709fb08dc367b819ebf288116b37f026eeb23dfec812de931cf48247f4a7f08094c022e35759d39eaea6737948859c39962f59f97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pypex.exe

Filesize
172KB

MD5
124b1c84ba46e8107af377c9aded9c61

SHA1
83d3b946215b0369898657db1280f3cf4be1e5ce

SHA256
5eee15e1150de7bb77b681e19ef22e91f5e93ad7a97289fb60c1941f49d75409

SHA512
76da946ad880ac37b047562eced7ffe3616e01841bacb0978dd4825bde8ce6d5df50f298d25778e56487e6102bde43449efa7af039a1464a68fe2db653a0bd88

Download Submit
memory/3428-47-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download
memory/3428-46-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download
memory/3428-41-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download
memory/3428-42-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/3428-38-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download
memory/4396-17-0x0000000000730000-0x00000000007B1000-memory.dmp

Filesize
516KB

Download
memory/4396-0-0x0000000000730000-0x00000000007B1000-memory.dmp

Filesize
516KB

Download
memory/4396-1-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/4648-21-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4648-20-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/4648-14-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4648-44-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/4648-11-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads