urelas | 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f

General

Target

2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
Size

333KB
MD5

8dd4853010e7db531898aa198b116300
SHA1

839c24033a06b4f9ff2abd065f12cbdec61d83e0
SHA256

2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f
SHA512

1be5cbce7454acf89b94ec27ef1f9c74c3a8ef53bb6a93dc3ca9243ef9a5d612b1400d7215a4107e95512f7f073c65e3ba7d90f735db74c990830acf0444b5f6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9W:vHW138/iXWlK885rKlGSekcj66ciWW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	xymui.exe

Executes dropped EXE 2 IoCs

pid	Process
392	xymui.exe
1996	odkyr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xymui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odkyr.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe
1996	odkyr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 392	316	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	87
PID 316 wrote to memory of 392	316	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	87
PID 316 wrote to memory of 392	316	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	87
PID 316 wrote to memory of 724	316	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	89
PID 316 wrote to memory of 724	316	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	89
PID 316 wrote to memory of 724	316	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	89
PID 392 wrote to memory of 1996	392	xymui.exe	102
PID 392 wrote to memory of 1996	392	xymui.exe	102
PID 392 wrote to memory of 1996	392	xymui.exe	102

C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
"C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\xymui.exe
  "C:\Users\Admin\AppData\Local\Temp\xymui.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\odkyr.exe
    "C:\Users\Admin\AppData\Local\Temp\odkyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e5991d6a36d31e5178c54f63402b6940

SHA1
1e433727b4d58f6b33c378dd127977e304b51d0f

SHA256
7c0d0958b7fb9cacf1f670f1ad84511da0a6f2f0a53a3b4b0e97537c2ea62965

SHA512
6653b0569e69da972d1c6222df92064dc665cf0aa1da18dfd3496c1aa4bae56c94df271c46e5d7fdacabb15e0a64075a8c01ed6211c5efc60a47b8d7b39ab89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ac6e3b6b9f540453743c31a3b5910b64

SHA1
28c3bd2264eac66b707796722cca2b9cd6329f05

SHA256
00566d92a6b845290de4a6511e0b06ffe481c273dd8dba97a70d8c7c21eaf761

SHA512
f9d7664307cff746d2a4248ba6f084b3e9548140a60d7b21f5e6edc14608d719ef9e7fe25789f56f9dad4e564794640262390104e1e443c2e685535376aa0429

Download Submit
C:\Users\Admin\AppData\Local\Temp\odkyr.exe

Filesize
172KB

MD5
7519c60f7363dcae1e5d91ccc27afc2a

SHA1
c31672c3843f454900fe1ae8bf4c384b8fe06cae

SHA256
ec4afd6b8b140ee3d9d2560fe1f968974276b7390a7f94b001d882b8a050e0f6

SHA512
fa898439f6735d50287d3b18119519e44d8c87574700103b61093bf22bdb4337502e0881930e06f15b31ba6b0c311ed59c7895b63ab4689b7e68101bfcea2308

Download Submit
C:\Users\Admin\AppData\Local\Temp\xymui.exe

Filesize
333KB

MD5
c30577cf03ceb1ce053f997e744ff242

SHA1
6c2124fd816e731d49243bc5082c3f269c8500a2

SHA256
646238e3bef3fb3badac48a204e907b98ba04f607db19635fc1ac73d097a739d

SHA512
4ef2db623ec8a4948afbd9da43b50934e986aacdaa0e0bec48b5e629d8b68eefa2b7b637a87b77b27ff9b0061b924cd1ea59d3587203866b8001786f783487f4

Download Submit
memory/316-1-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/316-0-0x0000000000910000-0x0000000000991000-memory.dmp

Filesize
516KB

Download
memory/316-17-0x0000000000910000-0x0000000000991000-memory.dmp

Filesize
516KB

Download
memory/392-20-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/392-13-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/392-12-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/392-39-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/1996-36-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/1996-40-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download
memory/1996-41-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/1996-46-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download
memory/1996-45-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download
memory/1996-47-0x0000000000C30000-0x0000000000CC9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing