urelas | a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429

General

Target

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
Size

332KB
MD5

926d44f877c6b8877309b7dc186c5650
SHA1

d21eb91f9d20bb0d3a3ccd5edd4dd48d900a54df
SHA256

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429
SHA512

486b60f8b1ee93f7b52f8f911e4284b7c384a23a68e4736d5fd6b9dd97c1be5cae23f24fce95f11c98e954bfb029ef55d84bab57dcc9fbbeda6a61e4b6548fc2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVO:vHW138/iXWlK885rKlGSekcj66ciEO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exefeeba.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	feeba.exe

Executes dropped EXE 2 IoCs

Processes:

feeba.exeurgyq.exe

pid process

460 feeba.exe
4956 urgyq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
460	feeba.exe
4956	urgyq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exefeeba.execmd.exeurgyq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feeba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urgyq.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

urgyq.exe

pid	process
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe
4956	urgyq.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exefeeba.exe

description	pid	process	target process
PID 2040 wrote to memory of 460	2040	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	feeba.exe
PID 2040 wrote to memory of 460	2040	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	feeba.exe
PID 2040 wrote to memory of 460	2040	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	feeba.exe
PID 2040 wrote to memory of 436	2040	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	cmd.exe
PID 2040 wrote to memory of 436	2040	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	cmd.exe
PID 2040 wrote to memory of 436	2040	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	cmd.exe
PID 460 wrote to memory of 4956	460	feeba.exe	urgyq.exe
PID 460 wrote to memory of 4956	460	feeba.exe	urgyq.exe
PID 460 wrote to memory of 4956	460	feeba.exe	urgyq.exe

C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
"C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\feeba.exe
  "C:\Users\Admin\AppData\Local\Temp\feeba.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Local\Temp\urgyq.exe
    "C:\Users\Admin\AppData\Local\Temp\urgyq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
954d08d6a12a118077cfc71bbd9a60fa

SHA1
491cfe3cdcced90d2f7ca27c1ec8ea91688b2c99

SHA256
3f273f97b5095a089cee89df487b2b61ac558141aa852f98e51cdb7e294156d7

SHA512
01008c5e95943cf07ba1cf03d58a0f26081207709c101b51cac0941feb4ba18cc1d9b40958ef2dd488b53abc0789ae34514ad340e588ac00450534c28f3c63e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\feeba.exe

Filesize
332KB

MD5
ce9f611a89b8e87954204dbba7ced512

SHA1
e013a06a813ced44bc2864ec743f96d4ff3653fe

SHA256
1e5e86b143dd1bba6ac752ba8ddcc132c88750e9eeff7623f079b9006449327b

SHA512
18e523a503f43f5fecdff3b110e85374381c46605fae47a7a1f4f2525d2272c0e5e9d4acaa9262ab1f3af74c1d887d4c72e411ae95640514ae1d9c147ab93b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b9a56f3cd154cb016cf0d1dffc5b98d9

SHA1
6ece253d819d6756dfcb64fbbb150a19f324815c

SHA256
607aaea2e4e3b95c5755aef420ff7ce896aa15eb8e7b2552d8e3452144fd11c3

SHA512
75cde4f4b37bead2c3431e744d7473662c2d336e473ae5d295664a0818ff4dff2bd5a55a71d70d43223a906cd17e698acf389d8b6c3eb5c179a9b9d526fad376

Download Submit
C:\Users\Admin\AppData\Local\Temp\urgyq.exe

Filesize
172KB

MD5
ac46ffb31ffdc6be35c50d0f0bf376f4

SHA1
a83bbb77f4b31b31c533c369bb787205a6aabbea

SHA256
744d7f1790c5c4d959030f111f76107f620f0d16da05c35c2c092260bdf1e13c

SHA512
aa1ab18d95f50bda3dced1c2a8f17a65f44775e33d669610fd2d3942e139f65d33e958f646e48d258d9b06d4d9cb05c405bf4da2aeb8d88558043537d7b455b9

Download Submit
memory/460-19-0x0000000000670000-0x00000000006F1000-memory.dmp

Filesize
516KB

Download
memory/460-42-0x0000000000670000-0x00000000006F1000-memory.dmp

Filesize
516KB

Download
memory/460-13-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/460-12-0x0000000000670000-0x00000000006F1000-memory.dmp

Filesize
516KB

Download
memory/2040-16-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/2040-0-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/2040-1-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4956-39-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/4956-37-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/4956-36-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/4956-44-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/4956-45-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/4956-46-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads