urelas | e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0

General

Target

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Size

440KB
MD5

a40cb26479ed7aa42946772c7b2e7021
SHA1

b768c64e7ba1bb171ac3d0acf1a43390f1d214bf
SHA256

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0
SHA512

d60f24ca50d22575a1fdd28636ea6238e5da657a6a9d4ea07eb2a117eef59e4bbe7c442ff9318feeb534779cc6f37a9e743d18eb54b21ed2bd0eeab67c046f22
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjP:oMpASIcWYx2U6hAJQng

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exewyruf.exeicqyfy.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wyruf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	icqyfy.exe

Executes dropped EXE 3 IoCs

Processes:

wyruf.exeicqyfy.exeonsud.exe

pid	Process
3468	wyruf.exe
2316	icqyfy.exe
4908	onsud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exewyruf.execmd.exeicqyfy.exeonsud.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyruf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icqyfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onsud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

onsud.exe

pid	Process
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe
4908	onsud.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exewyruf.exeicqyfy.exe

description	pid	Process	procid_target
PID 5008 wrote to memory of 3468	5008	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	84
PID 5008 wrote to memory of 3468	5008	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	84
PID 5008 wrote to memory of 3468	5008	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	84
PID 5008 wrote to memory of 3768	5008	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	85
PID 5008 wrote to memory of 3768	5008	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	85
PID 5008 wrote to memory of 3768	5008	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	85
PID 3468 wrote to memory of 2316	3468	wyruf.exe	87
PID 3468 wrote to memory of 2316	3468	wyruf.exe	87
PID 3468 wrote to memory of 2316	3468	wyruf.exe	87
PID 2316 wrote to memory of 4908	2316	icqyfy.exe	97
PID 2316 wrote to memory of 4908	2316	icqyfy.exe	97
PID 2316 wrote to memory of 4908	2316	icqyfy.exe	97
PID 2316 wrote to memory of 3880	2316	icqyfy.exe	98
PID 2316 wrote to memory of 3880	2316	icqyfy.exe	98
PID 2316 wrote to memory of 3880	2316	icqyfy.exe	98

C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
"C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\wyruf.exe
  "C:\Users\Admin\AppData\Local\Temp\wyruf.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\icqyfy.exe
    "C:\Users\Admin\AppData\Local\Temp\icqyfy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\onsud.exe
      "C:\Users\Admin\AppData\Local\Temp\onsud.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
41d43c9fe9e70f7707f850bcf69b5480

SHA1
b4705ee8272c2fb66936be9e160b23fef278ac24

SHA256
a3f6074738dbc7d6fdc98877ffe4a601cff2ccddc15ad2499678119825aad2d7

SHA512
46f36eb75390e1bf18ee26734060030d01be8ca1b51f4a914e18b2b8f78ab1aabe819a4843039410259e74a232188aaad0dfaaa83fbf458707e1278fc04f76ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b23730e95b71c653c3d0a3bea8724c5d

SHA1
b13f909a42dc9d13082f543aef1e53adaad821f3

SHA256
e1f01373c6afddad4b3ba7a3c78e2e0e09147366cf7708d28e3daae5cc2cfcc0

SHA512
e4bdecdfb3df8b3f168f6381e8abfa618bd517ab3cdc549c16bf22b68baf2827dd4322012e57978869298cd03f8ac4c8401015e4bade9fc31b4c19aafed6dc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b601a4661abf06e350f24fcfe0a41dae

SHA1
023b36474e23901e7678b5dccbde2935a8ed9dc4

SHA256
d9ef5117214ea96f0aa1694602eaefdd0e18a24942e13acea2534537baf95e89

SHA512
59db2fdf1769eca7e44e2066eb10f03ca8512ae79a8dcf29a32d19e8b2c5c7f7c6cfb94cef046c05ed0d7c80e93b6b6f1bb809eee937b031c1164db7e2811f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\icqyfy.exe

Filesize
440KB

MD5
f08922f8edf8c6f77cadc419f1ee63b7

SHA1
9485bfcb8821ac74b6c65fa0c9b7f458d181533e

SHA256
1a3069db8e59bc074a293acfbb086c5b549f00624a4bcd01a4150db820dc8a13

SHA512
69a8fd002ed1ab74665413dfa1da19f5dfd2dfca4cd66c868cc063ba473ae69bda4a7eff64a209e8c302f17373c69d40bacd54841a0b8592f3a360003e19615c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onsud.exe

Filesize
223KB

MD5
056dc6df1609cb736f7e34d951b29cbc

SHA1
90b5aa8088a5b50079502308e1834f40de02ccd6

SHA256
a868f792e033937e93f8fb3c6f7974012adc67ca6130f56779134cc6d36e4176

SHA512
947537db8c9c83912d1c3a59c3a5c9b82291ac428ac57890a8c4250d97fa0f9faa09c0b6d6e13f1f6c545dce8eedf92f0657d75d8092b569e8eea954af519279

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyruf.exe

Filesize
440KB

MD5
9e2162a7e71615061a137e3b973e69e1

SHA1
92c85c46b84bf9263e53e23c4c2eea13ffcef02c

SHA256
7926be64e81a49a1e7d22d25dcdc9d2de75cd44131b7f0a6021874a9a979a04e

SHA512
ab4fa7ae0dc6a51dbb1c326c29db5316a29959c71638c380e4af72874daebf623e28f9100105934ede8c0782556455ecdaaf0c2fd5be26394127724f1238a452

Download Submit
memory/2316-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2316-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3468-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4908-36-0x0000000000FC0000-0x0000000001060000-memory.dmp

Filesize
640KB

Download
memory/4908-41-0x0000000000FC0000-0x0000000001060000-memory.dmp

Filesize
640KB

Download
memory/4908-42-0x0000000000FC0000-0x0000000001060000-memory.dmp

Filesize
640KB

Download
memory/5008-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5008-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads