urelas | 3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b

General

Target

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Size

332KB
MD5

0c532605bd6041f0da53a6a9ade4ccc1
SHA1

b94d3dd6f45d0553004adc2672ce539f4ea8d613
SHA256

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b
SHA512

2019433e7f79bac22372cf967745ee5113a19507a523f48cc896e6ca4a769702f448770e11bef8656a9485038bf41eb72c25b203d1897ebc6a128fa0c72f6d87
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY+:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exesiidn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	siidn.exe

Executes dropped EXE 2 IoCs

Processes:

siidn.exefeicv.exe

pid process

3500 siidn.exe
3760 feicv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3500	siidn.exe
3760	feicv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

feicv.exe3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exesiidn.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feicv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siidn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

feicv.exe

pid	process
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe
3760	feicv.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exesiidn.exe

description	pid	process	target process
PID 4692 wrote to memory of 3500	4692	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	siidn.exe
PID 4692 wrote to memory of 3500	4692	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	siidn.exe
PID 4692 wrote to memory of 3500	4692	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	siidn.exe
PID 4692 wrote to memory of 4580	4692	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 4692 wrote to memory of 4580	4692	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 4692 wrote to memory of 4580	4692	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 3500 wrote to memory of 3760	3500	siidn.exe	feicv.exe
PID 3500 wrote to memory of 3760	3500	siidn.exe	feicv.exe
PID 3500 wrote to memory of 3760	3500	siidn.exe	feicv.exe

C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
"C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\siidn.exe
  "C:\Users\Admin\AppData\Local\Temp\siidn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\feicv.exe
    "C:\Users\Admin\AppData\Local\Temp\feicv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8ce8b29932ebadf525fb715e36148a52

SHA1
6ebcdfc2916987af7c6adabbbe3731614a745f6a

SHA256
4daef5587fdbc87677e9b08a1bc616a354407aa3137606ef19dfd5ca52a28093

SHA512
11dd37baa32ae031ebafb3fa5b694f330b6c614cdfd85b0521bc967a8f37296c761858b33e37b86d5c6c38c7cd9a10c65d6e67fa62bb308e71be352ec7c9b80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\feicv.exe

Filesize
172KB

MD5
90f5dc1035fa858d3a8b52df84d45430

SHA1
f4850a704d04cd6a1d4f52ee25985e9d443b73c7

SHA256
c0fa4c9898b76372abeb75da05c05cbe460b1033670fccd8aa89c2a25170f932

SHA512
f98cc44b84203a394b67964e57249d648f63da569ae0080cdaeff0b4166a435e6c5ed0c5e0bef37a97715b0cc766521cfa9cd117e3c83c2477a78047a114cd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aa885075453ef7c59a71381c335fff5a

SHA1
75c7881f02314accd0e68fc852bc33e9ad1b582f

SHA256
f9d39a35cc647d0459a7df183677a61a47c3febd86539e78ab04c49bf258d043

SHA512
23c1e1ff620b552ea7c6b323edd0d5941ba375989cd304ee41e53ed8be118b7c530808997073ced1ae3492dfa88b2580f8ab18c7fc79c2365f0208bd9a7fc97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\siidn.exe

Filesize
332KB

MD5
1a20ea7d04b896472d5689ecb5976cb1

SHA1
bedf6d02a29c55680434d1510049477ae912cce2

SHA256
439f95cdca4da80003704ca94a7e6c5b679cd393cea4fcc4b26de103d051d8bd

SHA512
d52b35b77b353f5806938b230f2b3ec9eac2eeb4f249b926b611e354c7e3205f3dc6d4041144a93ff6811f5ddca79f39fdf7acf85cb580400af44a95b7908946

Download Submit
memory/3500-19-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/3500-42-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/3500-13-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3500-11-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/3760-44-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3760-35-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3760-40-0x0000000000D40000-0x0000000000D42000-memory.dmp

Filesize
8KB

Download
memory/3760-37-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3760-45-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3760-46-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3760-47-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3760-48-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/4692-1-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/4692-0-0x0000000000540000-0x00000000005C1000-memory.dmp

Filesize
516KB

Download
memory/4692-16-0x0000000000540000-0x00000000005C1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads