urelas | a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528

General

Target

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Size

442KB
MD5

0e97fb91d36776868935265a493c0020
SHA1

f30211f2bcf09fc58dd129f454b38c2fc54e7618
SHA256

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528
SHA512

16f21fabc16f2026793163b07232280f47d620661cbe50661568eff65aa54131b172645e7bcfb4cb0bf731b24a831c74f1b34c9f2dacf7e57773c6565f2ac275
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGM5:rKf1PyKa2H3hOHOHz9JQ6zBA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exeyvdoz.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	yvdoz.exe

Executes dropped EXE 2 IoCs

Processes:

yvdoz.exemicok.exe

pid	Process
2548	yvdoz.exe
4336	micok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exeyvdoz.execmd.exemicok.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	micok.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

micok.exe

pid	Process
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe
4336	micok.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exeyvdoz.exe

description	pid	Process	procid_target
PID 4768 wrote to memory of 2548	4768	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	83
PID 4768 wrote to memory of 2548	4768	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	83
PID 4768 wrote to memory of 2548	4768	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	83
PID 4768 wrote to memory of 4872	4768	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	84
PID 4768 wrote to memory of 4872	4768	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	84
PID 4768 wrote to memory of 4872	4768	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	84
PID 2548 wrote to memory of 4336	2548	yvdoz.exe	103
PID 2548 wrote to memory of 4336	2548	yvdoz.exe	103
PID 2548 wrote to memory of 4336	2548	yvdoz.exe	103

C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
"C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\yvdoz.exe
  "C:\Users\Admin\AppData\Local\Temp\yvdoz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\micok.exe
    "C:\Users\Admin\AppData\Local\Temp\micok.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3a634cc49790e2bc9da2bb9f70159dc2

SHA1
251cd153f8976c0b814612a394a0c5a10d1dff3c

SHA256
52146206755f0b2026399fd33daa8bbb9a41a6d33aa254383c45768dccad637a

SHA512
04d1e50cbf6391023bde91645d657a564e531c8db14051189019874da56fbb647704b95265ee57984800a4099727625549e26b406735b875153232439a2b6392

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af74b8841b96b54f06f3cb5d5800f544

SHA1
74a7552741e0a1e3226f4919ea00c2e656f2bc75

SHA256
76e6e7e554046549175d87c2c63163e29a1e47505ca4b3676bcf9541b3c1a873

SHA512
99ed0f41da659827c880bcbc3fed78968679d76de562caab5d0be88d42606a6cfaf2aa121230cd93e593f5c880d39f7bf19575f3e6af3fea68c1d5bcca164dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\micok.exe

Filesize
230KB

MD5
48b4fb9d30b24d6fececb1895e7a6eac

SHA1
245666d645b1af55f00fed270157fa6fe228a3fd

SHA256
6c3d161e55b28b97669ed049b9eef3e40c1caab9f328d897631a7b7a6b15bc03

SHA512
162ca9a082c223152db04d29a8d42aceba2e5f1d54382eeb2cb86f0fca317237f2fdc9fbf5ac3bbedcfaee15d9524f9005ad1f754038ee66c8b954478bab61df

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvdoz.exe

Filesize
442KB

MD5
0add5de7dde4a72cbedd50bc9a4c136e

SHA1
eaf9b88c99e28d079dff153ce35178ed370cfded

SHA256
39af29f940c69f4aeb681d5f114550e41e713ef5126b38c4efa9400a01da532b

SHA512
2cac2669b6fae34c2f9128e9c7ebcad0112ded2b26c0274bde827c335e8c669d66951885bf737493fd70c18f41d421b410460539c90ba52cf508096a9417e272

Download Submit
memory/2548-12-0x00000000003C0000-0x000000000042E000-memory.dmp

Filesize
440KB

Download
memory/2548-28-0x00000000003C0000-0x000000000042E000-memory.dmp

Filesize
440KB

Download
memory/2548-17-0x00000000003C0000-0x000000000042E000-memory.dmp

Filesize
440KB

Download
memory/4336-26-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/4336-27-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4336-31-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4336-30-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/4336-32-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/4768-0-0x0000000000070000-0x00000000000DE000-memory.dmp

Filesize
440KB

Download
memory/4768-14-0x0000000000070000-0x00000000000DE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads