urelas | 97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52

General

Target

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Size

332KB
MD5

efb9d248a446a3a7434267d9b4d123c0
SHA1

3fe98e4298e590b5cc2ee56260b39c34a6790832
SHA256

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52
SHA512

c88b18d6833b3dd913e67028926cb297866c2b1af65dc9c2e264860365004b525eda2b005d8bf9d3f7a330a4e259a7a44301ad82bf3c58d0ed4f3e0574fc36ee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYK:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exepyloj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	pyloj.exe

Executes dropped EXE 2 IoCs

Processes:

pyloj.exelyjud.exe

pid process

2472 pyloj.exe
4924 lyjud.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2472	pyloj.exe
4924	lyjud.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exelyjud.exe97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exepyloj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyjud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyloj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lyjud.exe

pid	process
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe
4924	lyjud.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exepyloj.exe

description	pid	process	target process
PID 4900 wrote to memory of 2472	4900	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	pyloj.exe
PID 4900 wrote to memory of 2472	4900	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	pyloj.exe
PID 4900 wrote to memory of 2472	4900	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	pyloj.exe
PID 4900 wrote to memory of 3260	4900	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 4900 wrote to memory of 3260	4900	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 4900 wrote to memory of 3260	4900	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2472 wrote to memory of 4924	2472	pyloj.exe	lyjud.exe
PID 2472 wrote to memory of 4924	2472	pyloj.exe	lyjud.exe
PID 2472 wrote to memory of 4924	2472	pyloj.exe	lyjud.exe

C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
"C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\pyloj.exe
  "C:\Users\Admin\AppData\Local\Temp\pyloj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\lyjud.exe
    "C:\Users\Admin\AppData\Local\Temp\lyjud.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8ea4423a847b146a107fe9decf920b20

SHA1
3f20f309fe0c8f7f982820a018655276a6dba841

SHA256
9f07da084a4e9d8fb2716988a84f4f2f7e5e9f3068e5399503baaa8780517374

SHA512
afcbf286839811a850271ea186df37b0b8f6c342d832f856af07ca0f17b0dcd5546e99fe91800bb661a5a1bee904139d44a384ed771678a9566a5b4b50bd4b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
221240c3f1373d80d2f58cd87cf0c8f5

SHA1
e8564387c0d942e9134808bfe3179e4203970538

SHA256
ce5f4af9337eaf7994fb8b1b607d71d3acfd5258500a9f816a6ffd90c607235a

SHA512
297fae3ab1cf0f3ee885188adb99411b65318c27283bd31f69c65a0019f286a42096c078c8f9a75a0735e884599e8ae551ddf5b05b38f4ac29e33cc4d73686a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyjud.exe

Filesize
172KB

MD5
b318ed182749ccaf5984b92d9ca49bef

SHA1
e6e2a073d4cdb2f2d672a4a0806cde9fda39c5a3

SHA256
7a55176b9119107a22cc777aba6d8334b227d27cb58ed2031162e1e43dba2a59

SHA512
1acf1131e5e79e9fa4e2a0c714c3b858f9036cbe6689072e41abae53e18e09de9c6650dc44d2dcdcd546ca43c1a8fc797f7e7976bc0bbfb0fd343b41ad420274

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyloj.exe

Filesize
332KB

MD5
22b4736776dd28b6026448238b34e137

SHA1
6ddfb06cf94f51037c44c10ba0cd3cbe06be6d23

SHA256
76e775f720489998b6588f7211a8db1545a4c546406fd25954c0298d779e24c2

SHA512
fe572f390b524c90c865806896e7293561ca6d2342f217c50f274d8508d9d34d9fe47846ec7d7527b932ab0126f5fd39e0982c85d5e6613a054491cd0ebf6ef8

Download Submit
memory/2472-13-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/2472-14-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2472-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2472-20-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/2472-43-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/4900-0-0x00000000006E0000-0x0000000000761000-memory.dmp

Filesize
516KB

Download
memory/4900-16-0x00000000006E0000-0x0000000000761000-memory.dmp

Filesize
516KB

Download
memory/4900-1-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4924-38-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/4924-39-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/4924-37-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/4924-46-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/4924-45-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/4924-47-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/4924-48-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/4924-49-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/4924-50-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads