urelas | a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528

General

Target

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Size

442KB
MD5

0e97fb91d36776868935265a493c0020
SHA1

f30211f2bcf09fc58dd129f454b38c2fc54e7618
SHA256

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528
SHA512

16f21fabc16f2026793163b07232280f47d620661cbe50661568eff65aa54131b172645e7bcfb4cb0bf731b24a831c74f1b34c9f2dacf7e57773c6565f2ac275
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGM5:rKf1PyKa2H3hOHOHz9JQ6zBA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exenypop.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	nypop.exe

Executes dropped EXE 2 IoCs

Processes:

nypop.exeikmab.exe

pid process

3064 nypop.exe
2356 ikmab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3064	nypop.exe
2356	ikmab.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exenypop.execmd.exeikmab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nypop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikmab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ikmab.exe

pid	process
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe
2356	ikmab.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exenypop.exe

description	pid	process	target process
PID 224 wrote to memory of 3064	224	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	nypop.exe
PID 224 wrote to memory of 3064	224	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	nypop.exe
PID 224 wrote to memory of 3064	224	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	nypop.exe
PID 224 wrote to memory of 1716	224	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	cmd.exe
PID 224 wrote to memory of 1716	224	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	cmd.exe
PID 224 wrote to memory of 1716	224	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	cmd.exe
PID 3064 wrote to memory of 2356	3064	nypop.exe	ikmab.exe
PID 3064 wrote to memory of 2356	3064	nypop.exe	ikmab.exe
PID 3064 wrote to memory of 2356	3064	nypop.exe	ikmab.exe

C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
"C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\nypop.exe
  "C:\Users\Admin\AppData\Local\Temp\nypop.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\ikmab.exe
    "C:\Users\Admin\AppData\Local\Temp\ikmab.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3a634cc49790e2bc9da2bb9f70159dc2

SHA1
251cd153f8976c0b814612a394a0c5a10d1dff3c

SHA256
52146206755f0b2026399fd33daa8bbb9a41a6d33aa254383c45768dccad637a

SHA512
04d1e50cbf6391023bde91645d657a564e531c8db14051189019874da56fbb647704b95265ee57984800a4099727625549e26b406735b875153232439a2b6392

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d993e9aa0b34ba2f905845244c1fd42e

SHA1
9430721aa8a1802dd30eea7138d3d88f58f51709

SHA256
e87547a428d4997da4614bba50b4287162afbcead06362485ae68f4083fa7365

SHA512
fba0a7db84313e7191de4432513cf8fb91e88ef521adc13d40c79c0aa5c04e451472fe4d950eb9be61f462e8c4a5e3c5414dd584d4a7dcb38f9b1207f708c121

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikmab.exe

Filesize
230KB

MD5
d63be1c553b900359d4bd7a189fb4881

SHA1
7ac1a915fa64628ea35998b8d1d39d77d99d22d0

SHA256
7b860addc20d7387cdb690743aeacebe1a9f6f4259476b0f63779d77fbfade67

SHA512
2cfc7c47c44164163aacb1142bd67c4d53655b40cb06099b5d0a7c0167650a53520c2eb8a46d5ed25282ad90a2ae2d1ad13fde864b0112882fa7a384235d8823

Download Submit
C:\Users\Admin\AppData\Local\Temp\nypop.exe

Filesize
442KB

MD5
e8bd40d834039d7d1bfe2a58c03eb6d6

SHA1
532c0ed661970cf0fb4a3fd796fedb9e5a3286fe

SHA256
f2e92ae388319339bf21517a2338c40973ed9b1a0ef603a0e9ca42993f476c61

SHA512
38707d9427ff7d6314674bdc3af902454970dccba9fb2acb011f48f64371fbda07c75df473b3f911c6f7eb08f9ab8692ccb90964b6a5de6f330bf6a25d23d4bf

Download Submit
memory/224-0-0x0000000000BE0000-0x0000000000C4E000-memory.dmp

Filesize
440KB

Download
memory/224-14-0x0000000000BE0000-0x0000000000C4E000-memory.dmp

Filesize
440KB

Download
memory/2356-30-0x0000000000530000-0x00000000005CE000-memory.dmp

Filesize
632KB

Download
memory/2356-26-0x0000000000530000-0x00000000005CE000-memory.dmp

Filesize
632KB

Download
memory/2356-27-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2356-31-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2356-32-0x0000000000530000-0x00000000005CE000-memory.dmp

Filesize
632KB

Download
memory/2356-33-0x0000000000530000-0x00000000005CE000-memory.dmp

Filesize
632KB

Download
memory/2356-34-0x0000000000530000-0x00000000005CE000-memory.dmp

Filesize
632KB

Download
memory/2356-35-0x0000000000530000-0x00000000005CE000-memory.dmp

Filesize
632KB

Download
memory/3064-17-0x0000000000020000-0x000000000008E000-memory.dmp

Filesize
440KB

Download
memory/3064-28-0x0000000000020000-0x000000000008E000-memory.dmp

Filesize
440KB

Download
memory/3064-12-0x0000000000020000-0x000000000008E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads