urelas | b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341

General

Target

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
Size

333KB
MD5

7c52fa1dc9e1c5e59b28723dfab0a5b6
SHA1

90838f4318a86b255e60c6d6d44faabcf7a3e254
SHA256

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341
SHA512

52110668c323a0e6fb653f7aa17c28ad5fa4f30bf6cba9e582f89b1ad4004b8596d4bc534b52c3f31b530298878caf01342c5979ea4edcb5f8d96b5a98805d52
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYiU:vHW138/iXWlK885rKlGSekcj66ci/U

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

noajf.exeb9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	noajf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe

Executes dropped EXE 2 IoCs

Processes:

noajf.exerizyz.exe

pid process

2984 noajf.exe
3512 rizyz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2984	noajf.exe
3512	rizyz.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rizyz.exeb9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exenoajf.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rizyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noajf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rizyz.exe

pid	process
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe
3512	rizyz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exenoajf.exe

description	pid	process	target process
PID 5044 wrote to memory of 2984	5044	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	noajf.exe
PID 5044 wrote to memory of 2984	5044	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	noajf.exe
PID 5044 wrote to memory of 2984	5044	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	noajf.exe
PID 5044 wrote to memory of 3588	5044	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	cmd.exe
PID 5044 wrote to memory of 3588	5044	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	cmd.exe
PID 5044 wrote to memory of 3588	5044	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	cmd.exe
PID 2984 wrote to memory of 3512	2984	noajf.exe	rizyz.exe
PID 2984 wrote to memory of 3512	2984	noajf.exe	rizyz.exe
PID 2984 wrote to memory of 3512	2984	noajf.exe	rizyz.exe

C:\Users\Admin\AppData\Local\Temp\b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
"C:\Users\Admin\AppData\Local\Temp\b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\noajf.exe
  "C:\Users\Admin\AppData\Local\Temp\noajf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\rizyz.exe
    "C:\Users\Admin\AppData\Local\Temp\rizyz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a54630d7c21fb442b07d11534ffc4e22

SHA1
1f18054b31dc4f877ae5bb5ffe13a818db9f02bf

SHA256
761dccdc20e1864808dbe66b5dd552bcbf0232270955c82a25af07f2720eb5a6

SHA512
1002d310e6f02b9275b1a4d77d90cb50682c96716d999c7dac564310fa8134cf785a5102ca2093d3d1c595b1e0d94f55468b04a33289cabb2a9a12c98c222305

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8eb35579252476d3fa7ec1ca604b97c0

SHA1
16bff87b266c53dcce982f1af1c1874949fb4ecd

SHA256
3035470044ca6569b416517a5e5daec5e2bc3dd4c0b12947eea28f7ff7214884

SHA512
791631d9a92cf598c2182dba6186ca45a202391e093a593fc42244cab90d136ad80b1da69bd7abc331fa23bcfc42c3f7e7d9948ab01bbb85adcd262c643a6a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\noajf.exe

Filesize
333KB

MD5
a8116c3c749f75df43d8b7817a584791

SHA1
ee57de62449bbf02239a1170b9075730390c9730

SHA256
d8ab6666af4ece7eaa4ec793a2cad0f1876e24297e9e1a7d17509792d3295f54

SHA512
1cbb98ff6327eb502960670cf73c13c6022a9c817f2093fdd0af03287e6ca72c2ee93af327115651e5fa59657d23687d94c45c2de5f9e62a459534826e624861

Download Submit
C:\Users\Admin\AppData\Local\Temp\rizyz.exe

Filesize
172KB

MD5
3bbd8a67cf4e29414785b47792b95476

SHA1
c910609037674008739b83356c24960818e793db

SHA256
7124ef2af7c8af5ef974db90bb7e703bcaec6d6e62923a15844df2f4c38b0fad

SHA512
74e876d5de0453c78c794d650770f7448ce8b58d181df9b58f187119cc13ce8976c49879f624936ff93feccd1709162258fcf403719536c8b37206235ba7f202

Download Submit
memory/2984-20-0x0000000000720000-0x00000000007A1000-memory.dmp

Filesize
516KB

Download
memory/2984-39-0x0000000000720000-0x00000000007A1000-memory.dmp

Filesize
516KB

Download
memory/2984-13-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2984-12-0x0000000000720000-0x00000000007A1000-memory.dmp

Filesize
516KB

Download
memory/3512-45-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/3512-37-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/3512-40-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/3512-41-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/3512-46-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/3512-47-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/3512-48-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/3512-49-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/3512-50-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/5044-17-0x0000000000440000-0x00000000004C1000-memory.dmp

Filesize
516KB

Download
memory/5044-1-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/5044-0-0x0000000000440000-0x00000000004C1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads