urelas | 776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17

General

Target

776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe
Size

334KB
MD5

6880190130796f515d46f9f542a953e0
SHA1

9266e0bc63bc4647b39d3825c7c2a8977e7a7de4
SHA256

776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17
SHA512

37267d0c0055bf6cd85f94aa0176e9f188a573414cf640096443d6a845049bda69befdec162572bcff137fa50b58da7f60598a7ad89d9b1fed5af7e4f009733a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ciV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fyecf.exe

Executes dropped EXE 2 IoCs

pid	Process
376	fyecf.exe
4800	ajfuw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fyecf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajfuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe
4800	ajfuw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 376	4048	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe	83
PID 4048 wrote to memory of 376	4048	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe	83
PID 4048 wrote to memory of 376	4048	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe	83
PID 4048 wrote to memory of 4368	4048	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe	84
PID 4048 wrote to memory of 4368	4048	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe	84
PID 4048 wrote to memory of 4368	4048	776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe	84
PID 376 wrote to memory of 4800	376	fyecf.exe	103
PID 376 wrote to memory of 4800	376	fyecf.exe	103
PID 376 wrote to memory of 4800	376	fyecf.exe	103

C:\Users\Admin\AppData\Local\Temp\776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe
"C:\Users\Admin\AppData\Local\Temp\776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\fyecf.exe
  "C:\Users\Admin\AppData\Local\Temp\fyecf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Users\Admin\AppData\Local\Temp\ajfuw.exe
    "C:\Users\Admin\AppData\Local\Temp\ajfuw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
4be2edb18f8fe2a8a3343215ac5d05ce

SHA1
b2b01b4be8cd105766edb97c7a842bfc938a25b3

SHA256
56049cb6a01f1914e8d2d1975a09dc2d843039c184584c17c60ebf360df16f9e

SHA512
ba8644f0d6acae70eebcf8a517a32cea890cdddb143876e3b49ab1a803e73ce36f133d5ca0d3b2b9987e4fe90290e1db35a64e318873b488f4caaaa37897b1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajfuw.exe

Filesize
172KB

MD5
aeb15ad15f0ff357a276c7a346c1db10

SHA1
d44ca977f6542ea3b3fb781dd29ceb7fc67830d0

SHA256
89b05f64207452b6005cc4d960457a64becdfd5724dbed52a67f6169600076e9

SHA512
878c94c8273c2be58a0228017205f1efacb175388e8770759dc8552eb5bb7ad73572363392c8ee2037e0e8c448c814ab65fc718e297bbd299c660f1eac21a0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyecf.exe

Filesize
334KB

MD5
094cf477b8f7798ae16536a03a19908e

SHA1
59212c7f35506fe552871a8fecb657b199a767ad

SHA256
cd68a4644377450f48f167d5a5f9d31c75ade1f9d5bcd9c7819466f352e9c652

SHA512
573c922d7fd5ad9771365deacd9427ef75fe1e15e181f27bb2d7fb5d2e331fff43988c0998528675bfc1f8540f86a3ca799ac4caba9b72a038bd8f76d483d896

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d56961606c4e58f57533ea63308f0f99

SHA1
5f532bb5d92a41642888ba6479eefd3339490efc

SHA256
3c130ffa5f2144484cdcb724f47427a1b3ae3f0ca75500fed933fe166cf6f117

SHA512
adc98b94d8b7297fc1fb2c2460cd8c7515470089062b7d8b88d94d9ca014e793e61a980e0bd0a5da2ba11e5a7b1cf615235257ca0ba9c76419547ac3bf10d0cd

Download Submit
memory/376-21-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/376-44-0x0000000000700000-0x0000000000781000-memory.dmp

Filesize
516KB

Download
memory/376-10-0x0000000000700000-0x0000000000781000-memory.dmp

Filesize
516KB

Download
memory/376-14-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/376-20-0x0000000000700000-0x0000000000781000-memory.dmp

Filesize
516KB

Download
memory/4048-17-0x00000000003F0000-0x0000000000471000-memory.dmp

Filesize
516KB

Download
memory/4048-0-0x00000000003F0000-0x0000000000471000-memory.dmp

Filesize
516KB

Download
memory/4048-1-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4800-38-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/4800-41-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/4800-39-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4800-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4800-47-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/4800-48-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing