urelas | f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0a

General

Target

f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
Size

332KB
MD5

8ec941fc6702f584dded6bd4ea2d0730
SHA1

b4f114f72de169ac51740d47cf254db76991974f
SHA256

f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0a
SHA512

a5733e07fcddb2f652ace08c6924406bd076681753d180b947ecd01e4d1d78b616e09789aa8d550c5278987716fa5d4adf6350804ed36b4ea1a7d71344c70ba2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVD:vHW138/iXWlK885rKlGSekcj66ciEVD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	koorm.exe

Executes dropped EXE 2 IoCs

pid	Process
3528	koorm.exe
4972	qyape.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyape.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe
4972	qyape.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3528	4100	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	86
PID 4100 wrote to memory of 3528	4100	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	86
PID 4100 wrote to memory of 3528	4100	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	86
PID 4100 wrote to memory of 2400	4100	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	87
PID 4100 wrote to memory of 2400	4100	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	87
PID 4100 wrote to memory of 2400	4100	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	87
PID 3528 wrote to memory of 4972	3528	koorm.exe	106
PID 3528 wrote to memory of 4972	3528	koorm.exe	106
PID 3528 wrote to memory of 4972	3528	koorm.exe	106

C:\Users\Admin\AppData\Local\Temp\f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
"C:\Users\Admin\AppData\Local\Temp\f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\koorm.exe
  "C:\Users\Admin\AppData\Local\Temp\koorm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\qyape.exe
    "C:\Users\Admin\AppData\Local\Temp\qyape.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2afb6d789377100540acb4d4006cd188

SHA1
73a8e08e2d6b2b1ddf2388cfa5173e68a8802e11

SHA256
a4edb0fa1ffa588d67214b678c83cd2619db3de127f189f5b35f8be562d2b559

SHA512
38a14c23b83c138cc7129f831119fd8181726ebb5714e0fae349e9ace7722c84e56353c4ce4bd139fbc357647685aaaa55781b0d2a703858aaaaf416f4e2e9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b9cd238d9001693ee63850a8affa4cd7

SHA1
354aaa4ad483e038b739794fc72e12c3c2817b46

SHA256
6f9bb538fb48ca7ad0e5635817dd8855dfcf51ba352b266ba64bf471646a8e40

SHA512
352c34c67016c7992400f4315650fdab90c119bb26e1f5b8acc2e29ed0154485c69188409033a9a927e05b24715a73c88bb5b960f2cbb54baeb92a3623a77656

Download Submit
C:\Users\Admin\AppData\Local\Temp\koorm.exe

Filesize
332KB

MD5
39ad9afa903c412e1efa21a8268a0acb

SHA1
e85865d2014e0bd47e04e57fbba5088d9e3b757c

SHA256
44856ea030ad0c86027b52fdf7c920315e7e678cdd2f0d3e8b54fa6c1c18682d

SHA512
3c10801e04069fa40568d2595207c284599cdda41b14de850beebded417da889c330d990c617cd951168fd11af867e3eb19712e375e81c6496518d5d61ccf6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyape.exe

Filesize
172KB

MD5
0280f238090b0f061805b76ddcef3a94

SHA1
98b1a0f93cbf5e255a114616999649119ccfdd58

SHA256
3d65353b1a09711429959d3acd6f33eff5c1149c51df4316cd7349a52001f7c8

SHA512
63004daeb568499be2c32397f8425d93f55de249743a1f38e087926018340ddf9101912203e77027a935306fa5509e8b5eb8c7b407c42c5bf8d9cfce4d8dbb22

Download Submit
memory/3528-20-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/3528-14-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3528-12-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/3528-43-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/4100-17-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/4100-0-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/4100-1-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4972-38-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/4972-39-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4972-37-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4972-45-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/4972-46-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4972-47-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing