urelas | 960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940

General

Target

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
Size

335KB
MD5

31463bff05962a340451ade401cd245d
SHA1

2f12b72d85e2eb2aa69809c0e9f927d1049eb663
SHA256

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940
SHA512

e2268a4f9aa86667dc5e1dc832545eed8bcdfb36fc16673a7fb6262ab12e110c74777929787cf266f4cccb53d9f8bc820bea18aa7b10b4819d030a629762b2b3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exejezyr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	jezyr.exe

Executes dropped EXE 2 IoCs

Processes:

jezyr.exexehao.exe

pid process

1704 jezyr.exe
680 xehao.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1704	jezyr.exe
680	xehao.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exejezyr.execmd.exexehao.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jezyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xehao.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

xehao.exe

pid	process
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe
680	xehao.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exejezyr.exe

description	pid	process	target process
PID 2908 wrote to memory of 1704	2908	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	jezyr.exe
PID 2908 wrote to memory of 1704	2908	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	jezyr.exe
PID 2908 wrote to memory of 1704	2908	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	jezyr.exe
PID 2908 wrote to memory of 432	2908	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	cmd.exe
PID 2908 wrote to memory of 432	2908	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	cmd.exe
PID 2908 wrote to memory of 432	2908	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	cmd.exe
PID 1704 wrote to memory of 680	1704	jezyr.exe	xehao.exe
PID 1704 wrote to memory of 680	1704	jezyr.exe	xehao.exe
PID 1704 wrote to memory of 680	1704	jezyr.exe	xehao.exe

C:\Users\Admin\AppData\Local\Temp\960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
"C:\Users\Admin\AppData\Local\Temp\960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\jezyr.exe
  "C:\Users\Admin\AppData\Local\Temp\jezyr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\xehao.exe
    "C:\Users\Admin\AppData\Local\Temp\xehao.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b3187a86766b2ef06bd7a0728e077f62

SHA1
fd760cc762b685cdd8fef0e8d6f2e25e40e38b73

SHA256
ead8a0f009a8366a15e7ced6b3224b0f9281a0261612a3d8f8c0cc55ff05fd3e

SHA512
4ad983a3d2bf09d15dbe9f05fc373d4e60c5485379e550fc8b62ac9a267202b2661245738129a4b2eb9185e6739dc175ebbf1227c444fb4f956ac79dbf3d4c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7c8dd25a2607d8bf329f9f777e672c3b

SHA1
2f8509a8be72a813fb473bbb3da92229ce4e9474

SHA256
cb7a7c5df4f364c2e218a065012a2cc9f1dc401f152726fd6a0887c4b1b03c83

SHA512
e2c230901293122550ef84a1556970c6af714dcff1de2edd988e8c003439364f0d147697fa31cc6bee6373745853392fae6fb7ca616be8929dfcfdb1db7d40b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jezyr.exe

Filesize
335KB

MD5
15c1f7504b87123b7a51f80d317a59a5

SHA1
249f8936169648e592ad16d49d2679d043a246be

SHA256
f2e325d9a76471167e0ed072ef7ffdd123950e51cb461a725107abdd8a04ce74

SHA512
0093311c9c78814839b67846e60478d47482e149eda98f6794250d430282b8375729d044d8ba2010884bd1672fcddd439f8925bd5dc778f59483323881a9815a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xehao.exe

Filesize
172KB

MD5
99580f548b42350a1713c549792e5393

SHA1
3f8b367f78f76f5ff8c78b338bda581c8b184dd3

SHA256
8eaf9e6eac27ccd3e28d346ef60809c4485f101a3d622c67473b0f6e3e961ff0

SHA512
3ffec5edc6ab0ed6d4e384c8adee27a3abd8be751968d2843cfb96fa037cc736aa09fc8fd1e486e13809b231f5a9344d3eeaaeb1f3a40bcd63abe592b0c53a32

Download Submit
memory/680-48-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/680-46-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/680-47-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/680-42-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/680-38-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/680-39-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1704-41-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/1704-21-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/1704-20-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1704-12-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/1704-13-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2908-0-0x0000000000040000-0x00000000000C1000-memory.dmp

Filesize
516KB

Download
memory/2908-17-0x0000000000040000-0x00000000000C1000-memory.dmp

Filesize
516KB

Download
memory/2908-1-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads