urelas | e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113

General

Target

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
Size

533KB
MD5

d0b820b8854a6713fa4ca98a72441157
SHA1

afd9ecb1355f66c507294bc3f7667e61dc902f69
SHA256

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113
SHA512

6712db2173af63d253b06af6ab58c193683ed970eb4c4ecb3cad4c9d8d69eb6591bc6c77ed8295957e5a7e15d4fa8f6a5e49c4779eb52b50038142be5e1f2d26
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exexoacg.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	xoacg.exe

Executes dropped EXE 2 IoCs

Processes:

xoacg.exepujys.exe

pid	Process
1668	xoacg.exe
3092	pujys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exepujys.exee1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exexoacg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pujys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoacg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

pujys.exe

pid	Process
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe
3092	pujys.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exexoacg.exe

description	pid	Process	procid_target
PID 3976 wrote to memory of 1668	3976	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	83
PID 3976 wrote to memory of 1668	3976	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	83
PID 3976 wrote to memory of 1668	3976	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	83
PID 3976 wrote to memory of 4404	3976	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	84
PID 3976 wrote to memory of 4404	3976	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	84
PID 3976 wrote to memory of 4404	3976	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	84
PID 1668 wrote to memory of 3092	1668	xoacg.exe	103
PID 1668 wrote to memory of 3092	1668	xoacg.exe	103
PID 1668 wrote to memory of 3092	1668	xoacg.exe	103

C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
"C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\xoacg.exe
  "C:\Users\Admin\AppData\Local\Temp\xoacg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\pujys.exe
    "C:\Users\Admin\AppData\Local\Temp\pujys.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7b52d06d75d584f893caa0360974f8bf

SHA1
d5a239225dfd50d20337283adcd31ae8ccf860c8

SHA256
43b69aee365c7c59018d2457e278dddaa48cabd8a32bb4f87ef707fa5addc371

SHA512
be019af072302252e89f38cc9457e7b36f792297b834d375be0ca595ae3a715fe2fa1f68fe0654c23e1288eb1c483b74defa680ab69c0e360083ae4b54429e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7a9c5ee11b34837075d113eda5b49ff9

SHA1
6d747a68df5658bb39eda94da2dff15cb1a2dba1

SHA256
3992f59aeb539161ffc1d61d9aa96ec6d8753deb465802580db323fd41d77c6f

SHA512
04cfd3b1d2944db69ebc6a7dc3c0e38518c5379d5708e677544c3855c7449ae7f929fe98d7492c97ca7f7804330a53149a8738189a965795844f50750db7a94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pujys.exe

Filesize
236KB

MD5
4e5fad57406be960fb9b49fc4de89085

SHA1
f1e9ac601f83414a2267f69fb9d3eb0e6346f880

SHA256
6e0e380197222d64ed0c5239617732a47aa22e807ceef94c5ca066052dc2da08

SHA512
63e505588110cfda9e2af718ce6d62be188d958e8f40c88e833dc03b02d8c9e6d2ad859239ebb22edbb13c87015f7f22cc7f861acf235da4b60f63356e1a3490

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoacg.exe

Filesize
533KB

MD5
0c96946607304c99e6ca75de5354ba80

SHA1
e2625d349f65e25dc789cb55f15c0f0d47aea0fa

SHA256
29c53530ee0a40b1953cdee1adc9b67365c123ebc41992946451756f2b962c3b

SHA512
ea14b32404d50cea231c5832ae70714daa473dc2841488fae0ddac571fb44f384ff6319360bd86d05ce27031bd320b4fe7cd17f0f70b1ac909b055ebec88a381

Download Submit
memory/1668-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1668-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3092-25-0x0000000000F40000-0x0000000000FE3000-memory.dmp

Filesize
652KB

Download
memory/3092-26-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/3092-29-0x0000000000F40000-0x0000000000FE3000-memory.dmp

Filesize
652KB

Download
memory/3092-30-0x0000000000F40000-0x0000000000FE3000-memory.dmp

Filesize
652KB

Download
memory/3976-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3976-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads