urelas | 52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924

General

Target

52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe
Size

332KB
MD5

277aade9d81f39ce3777ed79d5ab10c5
SHA1

fda2240f20e5330f62fce7998aab8d6410375a10
SHA256

52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924
SHA512

33053db3052de5a88c24bec07445f6152964f02b7aec97f9515717e64ea8e1f444bac71ef71a5bc00d77ca29b951f855a0b73c1e71007f4ef8e4e141dfe01694
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVB:vHW138/iXWlK885rKlGSekcj66ciEVB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	nugyq.exe

Executes dropped EXE 2 IoCs

pid	Process
3476	nugyq.exe
2452	pezyo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pezyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nugyq.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe
2452	pezyo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3476	2912	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	87
PID 2912 wrote to memory of 3476	2912	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	87
PID 2912 wrote to memory of 3476	2912	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	87
PID 2912 wrote to memory of 708	2912	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	88
PID 2912 wrote to memory of 708	2912	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	88
PID 2912 wrote to memory of 708	2912	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	88
PID 3476 wrote to memory of 2452	3476	nugyq.exe	107
PID 3476 wrote to memory of 2452	3476	nugyq.exe	107
PID 3476 wrote to memory of 2452	3476	nugyq.exe	107

C:\Users\Admin\AppData\Local\Temp\52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe
"C:\Users\Admin\AppData\Local\Temp\52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\nugyq.exe
  "C:\Users\Admin\AppData\Local\Temp\nugyq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\pezyo.exe
    "C:\Users\Admin\AppData\Local\Temp\pezyo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2ab15d5cc5f585cb6ad64ce0d483f6b3

SHA1
5d1c13465ffa45cea4995cff18b5e4c97a1e94d6

SHA256
5927e7573fae77e1aa2880741531bfff9aec813423cf01a7e62101bb328a4aa1

SHA512
4cf361e7c48b644d8cd4849627ad0e154355a036daf7b8ad3abc4e586823f913868e65de37a1a4232b1f7b486ecdb44d11f0b9b804af58d44a4668d025bb4f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b258aee56fae575f8c953aa3a131f075

SHA1
2dd1baefb3231f460f7cbaafc78eb0a563e4726a

SHA256
efae184cb25e80e3144d6c7b708b0d6568b053ac9db0bacb79b8be2e01adc474

SHA512
c1987885be69954e2825b33478bc773afa1365ee811688deb3ab2a186175109f679760307ce6e844c7fad70ea8a3f652e321f2c8388ccf7957ca348f78248096

Download Submit
C:\Users\Admin\AppData\Local\Temp\nugyq.exe

Filesize
332KB

MD5
cb27cb5978ae64c4f60f9c0d71ce2782

SHA1
67df2bac1ee84fa8a248735b3031b4d7a4a0c15e

SHA256
ead9a312699d9b3399ab2115531a0e5e594e6d17e3954899852b24a17c462a03

SHA512
ac3753660e25dd4b64fc01d1a253b900b5391808a7c260de3ace71b1d0d5bf367fe022bd6baab209f5bc271dc8f8bd50853bd1e77864067c9c01268c2776c462

Download Submit
C:\Users\Admin\AppData\Local\Temp\pezyo.exe

Filesize
172KB

MD5
3b10ccaef5c2fd06feace3e0cf1bb6f9

SHA1
c4b4d8df6099178b4dd2603b02c5c0792b19f7ab

SHA256
da13ea68e507ae4c15f8ac8427f75744c305f159e7309676788aa1838c359c52

SHA512
1c66e76f3dc630524d38b0fecaf85e2d48422ccb67ec208ab7057d38bcb05e7ce1c0170c047ebb838120d8b07ad5c63f77226b56411c70268e328f13b330939b

Download Submit
memory/2452-47-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2452-45-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2452-46-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2452-37-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2452-38-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2452-39-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2912-0-0x0000000000F10000-0x0000000000F91000-memory.dmp

Filesize
516KB

Download
memory/2912-17-0x0000000000F10000-0x0000000000F91000-memory.dmp

Filesize
516KB

Download
memory/2912-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3476-12-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/3476-43-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/3476-20-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/3476-13-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing