urelas | 03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865

General

Target

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
Size

537KB
MD5

cd8f8d72550c4fc793b2da453251ae5a
SHA1

7856e981408deea7ff865db131f03b7417175c38
SHA256

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865
SHA512

815d0a545504969a977aea9c6c976532275344a5f556cabe57f4a5f683fd02054f54fe01cd1d77412f25edd254363fdb3f24d47282529a1d80cf7de438e4e8fb
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP3:q0P/k4lb2wKat3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exenyefa.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nyefa.exe

Executes dropped EXE 2 IoCs

Processes:

nyefa.exeqoyms.exe

pid	Process
4940	nyefa.exe
1264	qoyms.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeqoyms.exe03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exenyefa.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoyms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyefa.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

qoyms.exe

pid	Process
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe
1264	qoyms.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exenyefa.exe

description	pid	Process	procid_target
PID 3676 wrote to memory of 4940	3676	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	83
PID 3676 wrote to memory of 4940	3676	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	83
PID 3676 wrote to memory of 4940	3676	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	83
PID 3676 wrote to memory of 2320	3676	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	84
PID 3676 wrote to memory of 2320	3676	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	84
PID 3676 wrote to memory of 2320	3676	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	84
PID 4940 wrote to memory of 1264	4940	nyefa.exe	104
PID 4940 wrote to memory of 1264	4940	nyefa.exe	104
PID 4940 wrote to memory of 1264	4940	nyefa.exe	104

C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
"C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\nyefa.exe
  "C:\Users\Admin\AppData\Local\Temp\nyefa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\qoyms.exe
    "C:\Users\Admin\AppData\Local\Temp\qoyms.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
37dac236676a663a57ed8089ca8225f7

SHA1
0a5b5119067a9dcb2a19f3b0a1732527c857e664

SHA256
b9130b9721de831ae89992a64bef70d6d7561403b4f45903c8f534da6cebf059

SHA512
bfbb2da2f9d9929105308462d60c1ba9e3fe1819d89e8f216744a68baf9fcee225eb9bf1efcaad6d46a6dc2bd7ab55649756d48705105efac2fad4942746ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
19d22314e5a762d2b53d831644eb79c5

SHA1
f1c0cfd589fd474b2c232a616da67ffce2654d9d

SHA256
41f7b05a98cc4d86e28b55be5451e89b849884375d1907948fba044ccf0c5fa9

SHA512
7619a39a316790474e1747492d9b00be297ae1928b3f89b7393b2a0713b9c86f0358d59008bad6fa9e4cce5098b49d619a839580778570818220e3c17f487bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyefa.exe

Filesize
537KB

MD5
8006123a4afef79c6ab5948aa6050683

SHA1
cde5e047f28c12d278a1da24bee45da1cc7a9a56

SHA256
eba91705bd52dc6bd2e7347bfb1054f174e873c13b86869c644f47e4b9a97a14

SHA512
67c769e1bca0e80b56f13935e10c92cb0902584b333205edeeab19268aec664f6c71c2ae583c565d741669f6916c9e4258af01152b352f2eb1a13b9f5efc7a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoyms.exe

Filesize
236KB

MD5
d311526ac2a3c8aac8d94ead095f1758

SHA1
8d9d77d2199fab8e0ff8995404c956dad601983b

SHA256
ce0deb9564558e6aad01ab20f711c3cf194f09c09627c794c8faa9460717b53c

SHA512
3b42ae74ec1e47fea5248488dcca3cbff95715f3c0a8f075e1d10d7c66d6104d41635c9c66416e062ba97aed2ba6a486609e883e4b126c1da0cb2f199128ba85

Download Submit
memory/1264-25-0x0000000000450000-0x00000000004F3000-memory.dmp

Filesize
652KB

Download
memory/1264-31-0x0000000000450000-0x00000000004F3000-memory.dmp

Filesize
652KB

Download
memory/1264-30-0x0000000000450000-0x00000000004F3000-memory.dmp

Filesize
652KB

Download
memory/1264-27-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3676-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3676-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4940-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4940-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4940-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads