urelas | fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53

General

Target

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe
Size

444KB
MD5

dc78472cd99e4ac4e4cec9da36003550
SHA1

280d157f9be93a5100249ecc8b83877b8d9a13c6
SHA256

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53
SHA512

c1f9168a62ec3516be52f3d8f923b2f9154169b7dfe3dafb44fb11483cdeddd744302b04b4f1895f9a4b5db78eafa38b0dadd2fc00b29a7311bf32f9c56bf0d0
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMC:rKf1PyKa2H3hOHOHz9JQ6zBj

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

siord.exefe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	siord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe

Executes dropped EXE 2 IoCs

Processes:

siord.exeusnai.exe

pid	Process
4060	siord.exe
2648	usnai.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exesiord.execmd.exeusnai.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usnai.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

usnai.exe

pid	Process
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe
2648	usnai.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exesiord.exe

description	pid	Process	procid_target
PID 5040 wrote to memory of 4060	5040	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	83
PID 5040 wrote to memory of 4060	5040	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	83
PID 5040 wrote to memory of 4060	5040	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	83
PID 5040 wrote to memory of 320	5040	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	84
PID 5040 wrote to memory of 320	5040	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	84
PID 5040 wrote to memory of 320	5040	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	84
PID 4060 wrote to memory of 2648	4060	siord.exe	102
PID 4060 wrote to memory of 2648	4060	siord.exe	102
PID 4060 wrote to memory of 2648	4060	siord.exe	102

C:\Users\Admin\AppData\Local\Temp\fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe
"C:\Users\Admin\AppData\Local\Temp\fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\siord.exe
  "C:\Users\Admin\AppData\Local\Temp\siord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\usnai.exe
    "C:\Users\Admin\AppData\Local\Temp\usnai.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7c3357302c850bfddef32fb4db2a2146

SHA1
93ea0dbf6476cead861d1f977c4420967e3f85cc

SHA256
ca43ce734faee601448fe551733ad782b0ea119e8834e45a8a2883e5ec3566cc

SHA512
c9aaf8e04634b5610019649f3fffdffd045b01e3aa3bff046d45a224eb4ab78c248f43ab9b736490fd761ad174482297407e70c5fecc71b1a4dd0528696c52d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
16fd023c7a242953bb43b2ed639b1075

SHA1
57107dd7ad3eb7e2dfc286bf954a1dea5e889f63

SHA256
f88e5abb2a61884da751a9824b8be33a1eb13e78b591cc2cd1dda03662cab5f3

SHA512
5ee7515fa3870e7d864b34818e691be3b3b4491f595b6a1263dae17532eefc32bcd249c66ef512c9976c22391042b734a9e5ff9e48fdeff226f4c121135e788c

Download Submit
C:\Users\Admin\AppData\Local\Temp\siord.exe

Filesize
444KB

MD5
31e537cc5b5bee269a635c73af90d519

SHA1
c0faff30b4b76f6a9b4743e4812c84d40e49f9d8

SHA256
9ffaf3ee70cb8f9a6c4e3efb7ec860e8e1f47512ec9ec4f389eb6750ecc50048

SHA512
51efb2ebf3d3565c4df8c2bffc1e9c14fb2eba4e3b6ca322069e0c4deed8d6341f176f9610f72da669dea49c58b776d9226c3522b2d22002ac8b50e2684e3ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\usnai.exe

Filesize
230KB

MD5
1c0adbf45d42608c5663508062372c91

SHA1
e574fc91a5ba0bc01cae0a82f0b30f5cbf4a3f65

SHA256
7b207cb7e2f6bc81af3dfa706712520d69187e4d07caf8f2968c5bd2aad635c0

SHA512
866b40663a682dd16d9b5cf530df80598ec4fbdc366ccccb85d792a3fda6700efd0a530cf704570e66e5eb5b58bcd1e6d1409760f1a20712ae2549dd17d17082

Download Submit
memory/2648-26-0x00000000001C0000-0x000000000025E000-memory.dmp

Filesize
632KB

Download
memory/2648-32-0x00000000001C0000-0x000000000025E000-memory.dmp

Filesize
632KB

Download
memory/2648-30-0x00000000001C0000-0x000000000025E000-memory.dmp

Filesize
632KB

Download
memory/2648-31-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2648-27-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4060-17-0x0000000000800000-0x000000000086E000-memory.dmp

Filesize
440KB

Download
memory/4060-28-0x0000000000800000-0x000000000086E000-memory.dmp

Filesize
440KB

Download
memory/4060-10-0x0000000000800000-0x000000000086E000-memory.dmp

Filesize
440KB

Download
memory/5040-0-0x00000000007E0000-0x000000000084E000-memory.dmp

Filesize
440KB

Download
memory/5040-14-0x00000000007E0000-0x000000000084E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads