urelas | 38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5

General

Target

38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
Size

331KB
MD5

30ea5e68559a497f7e2f766c971517c0
SHA1

74b2de3994c6bdd890440e115c5f66c81805eed2
SHA256

38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5
SHA512

72f11c5cd6118b126cb7cd54e103b72a9502d945778014d88cd60d879261a7623784ffd8c79b742223d9a39bf78fc5771fc5e1082be24672a5fe3888f37ce3a0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVT:vHW138/iXWlK885rKlGSekcj66ciET

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	worif.exe

Executes dropped EXE 2 IoCs

pid	Process
2816	worif.exe
3504	cygyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cygyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	worif.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe
3504	cygyz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2816	4412	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	87
PID 4412 wrote to memory of 2816	4412	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	87
PID 4412 wrote to memory of 2816	4412	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	87
PID 4412 wrote to memory of 2096	4412	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	88
PID 4412 wrote to memory of 2096	4412	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	88
PID 4412 wrote to memory of 2096	4412	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	88
PID 2816 wrote to memory of 3504	2816	worif.exe	108
PID 2816 wrote to memory of 3504	2816	worif.exe	108
PID 2816 wrote to memory of 3504	2816	worif.exe	108

C:\Users\Admin\AppData\Local\Temp\38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
"C:\Users\Admin\AppData\Local\Temp\38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\worif.exe
  "C:\Users\Admin\AppData\Local\Temp\worif.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\cygyz.exe
    "C:\Users\Admin\AppData\Local\Temp\cygyz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6eb6f63297da1390f2dfbe3b22f4934c

SHA1
f0285d30f4ed8df9210dd424017ebf1273be21ce

SHA256
0ce1e7e46f8cced4a61efa4ecc48cd46c1c76e85593b8de89fc18529f3485fe8

SHA512
6785358d8a9f9793036256b66dccc0532da0bb86d7c68b568bdada1d73fbc14473e3831c57000b1fdb8fc45d4efd9a9587d0c641a82e3e30b7cf3749e23e9d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\cygyz.exe

Filesize
172KB

MD5
1411a74ff6896572f0443804de90e6b0

SHA1
89873b414fdbaa9fd91cfa386b024b6021579924

SHA256
9e164ef1db11545f6d39c2613293608a700fc8d11045e18cd55689799d624f7c

SHA512
89bb3db6f6c764b22c94c818f9298bb9fe1bbc8296ec88c02348ed9a32500c37a289d2d5e0f99824787f698253b0eda61a878d170ec1717987d460a246a60b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
51a861e7f834f623a0b5c602ed329553

SHA1
c29bf908fc3aed37438499d179d9857f015872c6

SHA256
ee98f532fed87ee57f5183fd87ecae7f394c2b33e0b58355043de1ed1853e729

SHA512
2867997ee1455aba26d97706e8a3fc757ad19212dacb8388963362b5f9ba1e2188ea6573e7d40c2eb23dc5d8c7de2eb845345ec07887aa9c5b5955e23728414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\worif.exe

Filesize
331KB

MD5
6341a2c01991b2e33020a8f0c4f17ac7

SHA1
5072e36b92c8a0f4983887dd5df76a3aa256596d

SHA256
6a6f37b64c295c8dcb0daad248bbc3045c26ee05edb0f1927ffafd9bdd34397b

SHA512
960bcc83b2b31bc48158442e8a6a6e1ba9fa1565ad7036d5a13b7ff2ce8fce1e9de3a721a684f1e2d927e09f1b93338738f7d1d01b719a9a0d83a2609c49585a

Download Submit
memory/2816-20-0x0000000000FA0000-0x0000000001021000-memory.dmp

Filesize
516KB

Download
memory/2816-21-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2816-15-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2816-12-0x0000000000FA0000-0x0000000001021000-memory.dmp

Filesize
516KB

Download
memory/2816-41-0x0000000000FA0000-0x0000000001021000-memory.dmp

Filesize
516KB

Download
memory/3504-42-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3504-39-0x0000000001000000-0x0000000001002000-memory.dmp

Filesize
8KB

Download
memory/3504-38-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3504-47-0x0000000001000000-0x0000000001002000-memory.dmp

Filesize
8KB

Download
memory/3504-46-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3504-48-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/4412-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4412-0-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/4412-17-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing