urelas | e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689

General

Target

e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
Size

425KB
MD5

efd780ff0685a16488a3e464a7585376
SHA1

b50b621d019b381f3c38911ce046ec4652d9e27e
SHA256

e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689
SHA512

41f7e68639461047f158a27e7abb113724a7d51d4308add6ab9f320d1360aabb4f906fb1544c7c5f8c56379be84130d4ca522b9869ed963a106adf86fc335a60
SSDEEP

6144:NKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwX:AOgwmisETzuaeDPvjJ81VGqK6GvPc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	uwgoa.exe

Executes dropped EXE 2 IoCs

pid	Process
3988	uwgoa.exe
4348	tuyrg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uwgoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuyrg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe
4348	tuyrg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 3988	3232	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	84
PID 3232 wrote to memory of 3988	3232	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	84
PID 3232 wrote to memory of 3988	3232	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	84
PID 3232 wrote to memory of 5116	3232	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	85
PID 3232 wrote to memory of 5116	3232	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	85
PID 3232 wrote to memory of 5116	3232	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	85
PID 3988 wrote to memory of 4348	3988	uwgoa.exe	94
PID 3988 wrote to memory of 4348	3988	uwgoa.exe	94
PID 3988 wrote to memory of 4348	3988	uwgoa.exe	94

C:\Users\Admin\AppData\Local\Temp\e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
"C:\Users\Admin\AppData\Local\Temp\e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\uwgoa.exe
  "C:\Users\Admin\AppData\Local\Temp\uwgoa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\tuyrg.exe
    "C:\Users\Admin\AppData\Local\Temp\tuyrg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0f3f0f5f07952b159057253d66bf2e11

SHA1
ee3b57ac1a1f0d868eb41a73309f221be0ada99e

SHA256
fcf9d283f50dfadfafae5016fdb2664d867cb7f29d3ca58f41336445af1783e0

SHA512
8a702d4fff71ec72dd6749f21a1c1ec8f341672963fa0e5ccb4d532d67619f19bbdbde7ac43b9bd08ef758476ee487c996f057504f1fa0d8b99616bc15694b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a9016ba1f5163d0ac70278d140e61955

SHA1
11bf5d89710e62e23a88db6d5f3d28dd6e26c1b6

SHA256
bdafc196f1b5edac5d8672083e1b030b476336d8e8cafcc220f4fb1a37534580

SHA512
2a2d532e6c04ea58848cba323e8af834e2e9661b542d9c4804adc99280689b2365ee1a9fdcb700a491d9e9b867b8b459cb514cb92ecb691d3946ec708f7674a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuyrg.exe

Filesize
179KB

MD5
84c4fce7548d6878f810d5e3530aacc2

SHA1
a5c847a00827349952e9611872546d50b1b37c40

SHA256
03b928b3b31ce39523005001b5ebd1b4c99b268e1b994b20aa49820c520da0b8

SHA512
3840727e783171afb8f055f20671833c8dc23c45aae450aef854694da63cd0303e977ea8c413c28c3f3817d0166c9dd49b51615615e05dbcc80db4a0d151f7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwgoa.exe

Filesize
425KB

MD5
75b1e1e2ddf5d7ad28d61c04a07a0a3a

SHA1
09d64f250ef3a945944e297fe94fd3b8352463ee

SHA256
73e50275b84680cc35515acd4dcb0faf93823efc40246ca9b57a06c89921b2e4

SHA512
c506040f9cb8ce3bdb8c04fcbed07eaab6a5e72a0f2617d2b7416266c787237caebd3b319e3e5e0474f331993e35ec671c4b7c7cf42ed507b5d4f483651e15bd

Download Submit
memory/3232-17-0x0000000000610000-0x0000000000649000-memory.dmp

Filesize
228KB

Download
memory/3232-1-0x0000000000D10000-0x0000000000D12000-memory.dmp

Filesize
8KB

Download
memory/3232-0-0x0000000000610000-0x0000000000649000-memory.dmp

Filesize
228KB

Download
memory/3988-14-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/3988-13-0x0000000000E70000-0x0000000000EA9000-memory.dmp

Filesize
228KB

Download
memory/3988-20-0x0000000000E70000-0x0000000000EA9000-memory.dmp

Filesize
228KB

Download
memory/3988-39-0x0000000000E70000-0x0000000000EA9000-memory.dmp

Filesize
228KB

Download
memory/4348-37-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4348-41-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4348-42-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4348-43-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing