urelas | 5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d

General

Target

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Size

784KB
MD5

bbec813948c72f96a34ad5b3b10fd118
SHA1

03db2340afe0ae7d2d216edfc880ed36bfd6da9d
SHA256

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d
SHA512

0c10dc61b10143e201660e20ac0fa4e4edb2ac1ffa7862d3e3572f923886e31669583498ee54ead67453724134ded9e6b4da1331a4b353e1c53215b40ffc4239
SSDEEP

12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgn:d7dLBftJLW5YUWLrkJB0PJgn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xeinny.exe5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exeiwyna.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	xeinny.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	iwyna.exe

Executes dropped EXE 3 IoCs

Processes:

iwyna.exexeinny.exekasow.exe

pid	Process
4396	iwyna.exe
2672	xeinny.exe
3212	kasow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kasow.execmd.exe5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exeiwyna.execmd.exexeinny.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kasow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwyna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeinny.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

kasow.exe

pid	Process
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe
3212	kasow.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exeiwyna.exexeinny.exe

description	pid	Process	procid_target
PID 452 wrote to memory of 4396	452	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	82
PID 452 wrote to memory of 4396	452	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	82
PID 452 wrote to memory of 4396	452	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	82
PID 452 wrote to memory of 4520	452	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	83
PID 452 wrote to memory of 4520	452	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	83
PID 452 wrote to memory of 4520	452	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	83
PID 4396 wrote to memory of 2672	4396	iwyna.exe	85
PID 4396 wrote to memory of 2672	4396	iwyna.exe	85
PID 4396 wrote to memory of 2672	4396	iwyna.exe	85
PID 2672 wrote to memory of 3212	2672	xeinny.exe	95
PID 2672 wrote to memory of 3212	2672	xeinny.exe	95
PID 2672 wrote to memory of 3212	2672	xeinny.exe	95
PID 2672 wrote to memory of 2380	2672	xeinny.exe	96
PID 2672 wrote to memory of 2380	2672	xeinny.exe	96
PID 2672 wrote to memory of 2380	2672	xeinny.exe	96

C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
"C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\iwyna.exe
  "C:\Users\Admin\AppData\Local\Temp\iwyna.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\xeinny.exe
    "C:\Users\Admin\AppData\Local\Temp\xeinny.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\kasow.exe
      "C:\Users\Admin\AppData\Local\Temp\kasow.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0060e4975cf845bd00d5de94bf1cdfea

SHA1
d82ce6891701b3465487744951ecd11f6f825494

SHA256
346b13e0a7717327b1771e7a18e1892b78d92d2ecea5ce20d73c8bdb96a26889

SHA512
3f32c869e34399b08255d19c934e9e09ff18ba8c23e0788dddc3aa8551df349035530fb0c56d9646b1234e2d1d0f5e5a6044f20154d8f84887a80bdd2804783d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f57ef2e2c519024a151ffdaac1a1f19b

SHA1
eb306100a0537b24fc6738f21a49f5a67c12e364

SHA256
6e1a6afc6fc6200d306b6a477dc1485a01d058c5ef9de8feb17f76965a7368be

SHA512
594a11983ad8bfd6945c06a6150453cc89df720a25eeb5fc505a54c76eeff75f911b334e6ccf0dae796ac15e2985600afd9fac8676df13dbababfbda54b350b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
01ca640b5fce34ac92369ae1015807bb

SHA1
669a074ae276ec4da38a629c7f153070bdd6f4fd

SHA256
80c7b8fda2378e9453685648f8941b6b3846d39480ca90299f779e0d1cc19294

SHA512
9881329c9f9f422e2801f0fd8f4a5545f6a25dfdab2c42f3197ad43cda26f07deb3d9f22fbd99aa8dc6b232304e80537a8773aa7f76a3dea79d6ce1ae6d94d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwyna.exe

Filesize
784KB

MD5
49f6a87331ff257ff12a2735519e6ce1

SHA1
c1767984c08ecf77f8dd0cd9d0ccaac5d4171770

SHA256
00f1712639e1a2af1807e7ad34641709d6636f1afc412c4969dd1dd58dba413c

SHA512
795470792cbb804dc88662345b4077231012fe4eb55279a0524fe028102cacb6ce110b1321eabc5addcafd48f7334485d6bf622850596a262d779dccbd5603a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kasow.exe

Filesize
601KB

MD5
fd9d256b8cfc34dd43426eb69d761f27

SHA1
e0ae26c50d8df084e40d1727a94c13f76166ba46

SHA256
fba174328c34182fd57e675ca564e52919a3c81ba9163bfe5a7bb75d5f8528a6

SHA512
15568af137458ee85ccbbcef40e38000f0e641b45084354d4efbabd6f7271e3213ce50b4d38a209168b365e3fe80c3dd8b25c26933eb1779c7ad9b2a44aeb97c

Download Submit
memory/452-14-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/452-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2672-25-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2672-39-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3212-38-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/3212-43-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/4396-23-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads