urelas | 4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535

General

Target

4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe
Size

341KB
MD5

ef13ce416ef6241e97b9204da5a97f80
SHA1

a5a5dc9810661beacbcf7c89f170ba23d13b5ca4
SHA256

4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535
SHA512

1295ce2980a0bc9f98699e76f82621461c0c0683f7a5b46300525fc5f9960d02d2299d5ebdd278cfefb7f3f697423e48284c4507b4047dbafb2c10bd127bef84
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYRcECHUI:vHW138/iXWlK885rKlGSekcj66ciaC0I

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe

Executes dropped EXE 1 IoCs

pid	Process
3920	yfmuf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yfmuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3920	3932	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	83
PID 3932 wrote to memory of 3920	3932	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	83
PID 3932 wrote to memory of 3920	3932	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	83
PID 3932 wrote to memory of 3288	3932	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	84
PID 3932 wrote to memory of 3288	3932	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	84
PID 3932 wrote to memory of 3288	3932	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	84

C:\Users\Admin\AppData\Local\Temp\4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe
"C:\Users\Admin\AppData\Local\Temp\4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\yfmuf.exe
  "C:\Users\Admin\AppData\Local\Temp\yfmuf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\qopin.exe
    "C:\Users\Admin\AppData\Local\Temp\qopin.exe"
    3⤵
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f8547e48c36c345bb295f32db5698194

SHA1
df3724495be98d6dabbfd22941219b2c780b5eb5

SHA256
d3a2a3660f7adceef90ff20a118ff792f53d1c61e56e7c30190681a8820271b6

SHA512
81d519d024247b549710791f0aa12e5079a06722e90118ccb7cbdbff5b6d66680066495e22dc74e56009d8e9db50fa73889b50aeb577392bd34f646ba523b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8131c393435f0b636da9e37271d44d60

SHA1
2238893b5dc466d0c6b3bececa41fa1bb8f8a8e3

SHA256
fe8b8eb3279e774843af59b813fb0897988196ee6c523a006e67035ce434d083

SHA512
4cca67377721d49668c915b87421536bf2c8c9e643aa427cd714c127cbfc0d5fb8ccc51c440b609710aaa2b0379772259fb79d0340cf4b0d7e254748c01324bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qopin.exe

Filesize
172KB

MD5
c57cc4a2fbe07c6d0e65fc73e7920c48

SHA1
f6039e5524a3ef7fa299f2c19a37433f5c3132ac

SHA256
d730c1bccbbaa82ed6055fde5306db2d5a9687a79eb1e1c3638a79b597a185a7

SHA512
a3ccb8624147710033b2e81c14e84c3fafb1236b194abc5448d16e7cd6144254f2b773d0fca613c9bbd24e9e2b166d774336ccab5c22d1dfd9069b2aaaf5c74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfmuf.exe

Filesize
341KB

MD5
b80f75ed344d1a7d91efbb53b6141a39

SHA1
7f1328ba6a1d1c61a88c5d0572dafd8ee2e97d12

SHA256
60e8a3d52e7e7b2c07d5c8d4df11cba2aa8063f0e82cce1f06b2ac5dcb8b843a

SHA512
3ad466ec4a1783974bb1debc4965e47a6c33307a6cfd00df503574bdbde46e88c7253be1bb661ed9a632230995b7ad7576b169bdde6295a3749a3ac913626954

Download Submit
memory/3920-41-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/3920-21-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3920-11-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/3920-14-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3920-20-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/3932-1-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3932-0-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/3932-17-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/4656-39-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/4656-42-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/4656-38-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/4656-46-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/4656-47-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/4656-48-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing