urelas | c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884

General

Target

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
Size

332KB
MD5

dd283e263e2b0339bf8bb6a19a7ef990
SHA1

b91c87e5ca1573739a501f8bd91b041a1adbe82f
SHA256

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884
SHA512

198932fada52cf3b8b908c634251a252a14e8118950222c490a3249004d6fca78acfdb1e789fbfbfca2425a0365561d7637c4307e1ec201d9bf72c65d0436b3b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVb:vHW138/iXWlK885rKlGSekcj66ciEb

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	bedyy.exe

Executes dropped EXE 2 IoCs

pid	Process
456	bedyy.exe
4736	roiqp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bedyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roiqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe
4736	roiqp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 456	2004	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	87
PID 2004 wrote to memory of 456	2004	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	87
PID 2004 wrote to memory of 456	2004	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	87
PID 2004 wrote to memory of 1964	2004	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	88
PID 2004 wrote to memory of 1964	2004	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	88
PID 2004 wrote to memory of 1964	2004	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	88
PID 456 wrote to memory of 4736	456	bedyy.exe	101
PID 456 wrote to memory of 4736	456	bedyy.exe	101
PID 456 wrote to memory of 4736	456	bedyy.exe	101

C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
"C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\bedyy.exe
  "C:\Users\Admin\AppData\Local\Temp\bedyy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\roiqp.exe
    "C:\Users\Admin\AppData\Local\Temp\roiqp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
12cc31e42f61ba51d1ef42b3dfd7dcad

SHA1
feec1c4dd538f7e2a03b9a9edcb2ae38db9b9275

SHA256
640d2e011c0789c0c436c6bd990adc5042a65341afd0d6c14ed099ba24de54ee

SHA512
9c2fa7c203fdf61f1757462a612e45fdc975b651bb3a2c9d7d218400e6f087c01d86ed82b5dc446ec44644de06aad9dc54158695332393463bb7f86eaee8d8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedyy.exe

Filesize
332KB

MD5
16b004ef0954d44ec845c8041b01ee3f

SHA1
fd0ac6cf1d9de9dec6f4a833f05e9dac7a24031d

SHA256
27a994449be6a3cfd2195f839857eaad27396a52a134271ec8dd2a96300340fe

SHA512
74a94b48673c51300a909325705f8d2ad2239ec397a1e40e7f83650a0c7a268ba02e14c748c8debb69e072e6633960a4bc261755f51901b2afe80de08294a4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1f50c8076a4673ba50ee10e60567eae3

SHA1
b77691a2de7234410f7ce12f6b831ee054be980e

SHA256
1b5a2f753ccc6034681129e3411e4ef2d990ec5ec7263b5a5e64bee6e5176ae2

SHA512
5e3379ceac824a970d4ba644d4df17a27164973468ff0dd7a89d092d3072e8b7d0f189b42dccdba7abb22e5d124b2d5105c15762ae1fc2606d8eb3e47328977c

Download Submit
C:\Users\Admin\AppData\Local\Temp\roiqp.exe

Filesize
172KB

MD5
d716afe95c32a8e426b7c28d8554d1a1

SHA1
f99a16859a9b5d6454f6c2f895812ff740f20011

SHA256
a5c775dfc65b4ccdffaae2bcc0938821b46c9c6c7b7a2b3fd0c54f800690fbfa

SHA512
2a0295768f5d2786f39336b24c83e39dc01a7df94eadab715791a86d46afccfdef3b0d02e00758b3ea40834c44530ddcc2f4fd945c18d2baded6cef3ca1a4c3e

Download Submit
memory/456-20-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/456-44-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/456-14-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/456-21-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/456-13-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/2004-17-0x00000000006D0000-0x0000000000751000-memory.dmp

Filesize
516KB

Download
memory/2004-0-0x00000000006D0000-0x0000000000751000-memory.dmp

Filesize
516KB

Download
memory/2004-1-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4736-40-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/4736-39-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4736-38-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/4736-47-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4736-46-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/4736-48-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing