urelas | 177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9

General

Target

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Size

553KB
MD5

d6c7c30a81e11dc1c86a310a1ae80961
SHA1

7c363777198b30a0f8e90df768f51396eb3d78a1
SHA256

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9
SHA512

d85a4cef7b216f99e0da92b8b147659ec18e3e5ae17dcb4014aca1d599464e44bc0ca7d78bc2ac3f7f345e2270416f7a35693aa325df50690275924b2f7b2caf
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlee:+rt4/NArwjs5olB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exexyhis.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	xyhis.exe

Executes dropped EXE 2 IoCs

Processes:

xyhis.exezoebe.exe

pid process

2428 xyhis.exe
5112 zoebe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4928 5112 WerFault.exe zoebe.exe
4448 5112 WerFault.exe zoebe.exe

pid	process
2428	xyhis.exe
5112	zoebe.exe

pid	pid_target	process	target process
4928	5112	WerFault.exe	zoebe.exe
4448	5112	WerFault.exe	zoebe.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exexyhis.execmd.exezoebe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyhis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoebe.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exexyhis.exe

description	pid	process	target process
PID 1192 wrote to memory of 2428	1192	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	xyhis.exe
PID 1192 wrote to memory of 2428	1192	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	xyhis.exe
PID 1192 wrote to memory of 2428	1192	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	xyhis.exe
PID 1192 wrote to memory of 1168	1192	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	cmd.exe
PID 1192 wrote to memory of 1168	1192	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	cmd.exe
PID 1192 wrote to memory of 1168	1192	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	cmd.exe
PID 2428 wrote to memory of 5112	2428	xyhis.exe	zoebe.exe
PID 2428 wrote to memory of 5112	2428	xyhis.exe	zoebe.exe
PID 2428 wrote to memory of 5112	2428	xyhis.exe	zoebe.exe

C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
"C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\xyhis.exe
  "C:\Users\Admin\AppData\Local\Temp\xyhis.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\zoebe.exe
    "C:\Users\Admin\AppData\Local\Temp\zoebe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 216
      4⤵
      Program crash
      PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 256
      4⤵
      Program crash
      PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5112 -ip 5112
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5112 -ip 5112
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0f8b90ae5876106b0173d2f6bb3c96c3

SHA1
44ae65b3871372c78bc3a6ac75e146a2e010026b

SHA256
e342bf119c88732bbedd6943e31f01255614c34f20079e5958da30a96e802910

SHA512
ebcc4af2c96e6c919594316d1317e3b2cd471774f030bd645ada4d8a3c6010a36b582df29c4e8b83a39ffd779373ac8411931c77931052ddcfa9e0b5f5bdebf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ce0accb1a785c68c0a016b96544008f9

SHA1
d0d0a7cdc490c83f0333cfb4d7eb69da94dbf597

SHA256
e953ee74265cbc9a753337f02a5327d66fa5d2b9737dccc342a72f525437efae

SHA512
1a6a01691abecf7a32cb61c6c1d1ba299479d2558c107688409036d152f18e2aad04b7a205102eb2aeea64973ea4a26637815f9b571153b318c9c82f6a0b3afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyhis.exe

Filesize
553KB

MD5
850d16733f8f9109d38da3499366226b

SHA1
e868a6bf62358a632d52a0a671cc940a4b337898

SHA256
4d53dda4770c51735c8879754bd083adbae5efd9498bdd5300ff589840b12697

SHA512
c0e01d900bd199a8f6a00455a94724e0465b7540018c0356360b151d0fe1c1bc975831eff3deb082583c062fca3e2ee3b87b1c6d1fd842a3fcc4c2d53f11e8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoebe.exe

Filesize
231KB

MD5
e9118abbb3cb91516f3eeee5fbbf908c

SHA1
4c44a393ea3e9565333d605881208950e158753c

SHA256
a4047c8a5744f71e3b2bac2caef73a8ad9a32d9720116a31b28dda4406e6beeb

SHA512
9b535a639988f36c3f0a79f95a4bc4999d4d3f3fc9f4c26169f0866434d7cda6dc3fee50c1b13ca13b658fc90add23251be651b3d43d1027d2d32bca369f1a8e

Download Submit
memory/1192-0-0x0000000000640000-0x00000000006CF000-memory.dmp

Filesize
572KB

Download
memory/1192-14-0x0000000000640000-0x00000000006CF000-memory.dmp

Filesize
572KB

Download
memory/2428-10-0x0000000000FC0000-0x000000000104F000-memory.dmp

Filesize
572KB

Download
memory/2428-17-0x0000000000FC0000-0x000000000104F000-memory.dmp

Filesize
572KB

Download
memory/2428-27-0x0000000000FC0000-0x000000000104F000-memory.dmp

Filesize
572KB

Download
memory/5112-26-0x0000000000D60000-0x0000000000E13000-memory.dmp

Filesize
716KB

Download
memory/5112-28-0x0000000000D60000-0x0000000000E13000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads