urelas | 2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7

General

Target

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
Size

327KB
MD5

8683596a79ee62e258067bbadaa4e0b0
SHA1

2804b7a54623958f9feae3720d47cf43d190301c
SHA256

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7
SHA512

776cf6027bfa30d32fb61e54cbed0e9a34a9e20e6645f83cf2e434952a7b9c641410b81ddd816570c41449ce30e90b33b21041d34ba43419526b9ff664fbc97d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	tuvor.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	tuvor.exe
1148	hojyd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuvor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hojyd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe
1148	hojyd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2584	1604	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	84
PID 1604 wrote to memory of 2584	1604	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	84
PID 1604 wrote to memory of 2584	1604	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	84
PID 1604 wrote to memory of 4268	1604	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	85
PID 1604 wrote to memory of 4268	1604	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	85
PID 1604 wrote to memory of 4268	1604	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	85
PID 2584 wrote to memory of 1148	2584	tuvor.exe	105
PID 2584 wrote to memory of 1148	2584	tuvor.exe	105
PID 2584 wrote to memory of 1148	2584	tuvor.exe	105

C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
"C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\tuvor.exe
  "C:\Users\Admin\AppData\Local\Temp\tuvor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\hojyd.exe
    "C:\Users\Admin\AppData\Local\Temp\hojyd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2692d637d7f78045fac9c30c287958a8

SHA1
844e93e562fc43a9dd54f33dbbda9a45c563a822

SHA256
92a03c86295ab5505d930e81c1e20f12a980f6d7b35072df17e6ade92a27c06c

SHA512
697903d1820b0303b98af5a95cba388670e7bddaa83670260f5e21cafe534beb54e042ae265c9d03c82c5bda3bd5995b8e31e35193da7a1b62c97a07bc61e0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
88ae6ada5d741930ad0d25d2eab9ea0e

SHA1
c9b07534859f7bbe665105acb15d76e5a1fa23b6

SHA256
450fdef2338426f06a331231fd6935e7e43a70a5084145b51f949dfcb0e530b9

SHA512
f4e34ed6033e90a802c3c5b2849af6aa5576a670f6f91dc3395484c62930027aac18f04f7ef80a049c22bf75eb7402f76140caf6e58e39d658dd5801ee6db82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hojyd.exe

Filesize
172KB

MD5
eb8feb85841ade2e95a3bc9441115ed7

SHA1
b3c054ace42d72374b46cf4b889794bbe0da925f

SHA256
eb19a1de70629a8a4600e8a7e18290eeaaede4bbff996b31cd53efb2b769738a

SHA512
562dfa6caebb6d038bf1e6805f2678e7dd8cba4c37f49b58d0b314d47172de81087772640b54d6c003ce80f55a75795d3b4f4fad90d9b9bb7833db4d4ac0dd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuvor.exe

Filesize
327KB

MD5
db1e640e994b133bdfefc397ce10d7eb

SHA1
de4f0b3a51251aa064e31e7375dd91e3385039c6

SHA256
c83505c4da6880173b8033984d8b841abd8b5875648a9cc53785b60248dc3609

SHA512
c36eee6f2bb8d084d2e279fd4115a3df8b88d1439d3e6c074e59ecd28a06152a02cb2a813d0b1fab598a92ba7772252ab509772e525f2ba0bba80afd6fc757d5

Download Submit
memory/1148-47-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/1148-46-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/1148-37-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/1148-45-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1148-41-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/1148-38-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1604-17-0x0000000000730000-0x00000000007B1000-memory.dmp

Filesize
516KB

Download
memory/1604-0-0x0000000000730000-0x00000000007B1000-memory.dmp

Filesize
516KB

Download
memory/1604-1-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2584-14-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/2584-43-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/2584-20-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/2584-11-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing