urelas | 643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1

General

Target

643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
Size

275KB
MD5

4f484ec903da6d4e4fca1f56b3a0f5e0
SHA1

053c14798282218e84fadacb5b7c06129cc73b38
SHA256

643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1
SHA512

eecafc7fd8acf4f08459150a9e8d1a2a32b6a7e9fc7205c57807209784b6c4a1d967aee842031c8547aaeb4ad50f758f8cf2bc7166ccda2cef835a2d6f4017c8
SSDEEP

6144:YBJz8I3EKuteh0AemMzbUNnWNt+xXEUPW:6B8I0vtHLPUNWv+xXDW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	coxes.exe

Executes dropped EXE 2 IoCs

pid	Process
4868	coxes.exe
1448	ejzyx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejzyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coxes.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe
1448	ejzyx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4868	4028	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	83
PID 4028 wrote to memory of 4868	4028	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	83
PID 4028 wrote to memory of 4868	4028	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	83
PID 4028 wrote to memory of 3384	4028	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	84
PID 4028 wrote to memory of 3384	4028	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	84
PID 4028 wrote to memory of 3384	4028	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	84
PID 4868 wrote to memory of 1448	4868	coxes.exe	102
PID 4868 wrote to memory of 1448	4868	coxes.exe	102
PID 4868 wrote to memory of 1448	4868	coxes.exe	102

C:\Users\Admin\AppData\Local\Temp\643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
"C:\Users\Admin\AppData\Local\Temp\643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\coxes.exe
  "C:\Users\Admin\AppData\Local\Temp\coxes.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\ejzyx.exe
    "C:\Users\Admin\AppData\Local\Temp\ejzyx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9bae44e49d77fbc2921940cbc7782571

SHA1
47a84ce377a7c21c83d69137e73d36d8d177fa31

SHA256
43f4325bb9af60c7b49ad5f132588cf7a8d73a1c6ccadf9265f38c7ee3caa8ea

SHA512
9cf9ec08bcf50a68c2e91e65af2ceba70a7e913389cd1f5ea0e0ad5b04e94fa9e2ed2334be5d1f11fc5b22c604f3e7fcbd35b84fcb875c0fc1e86a957c6dbd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\coxes.exe

Filesize
275KB

MD5
0824c8428a959609c0d167ea3a96093d

SHA1
09cf2954b4be8f531cfe7087276e20ca672d5c61

SHA256
54d5d916287d8980bf497da734898ad4488a98dd3c35c557eeabec7e4ea3513f

SHA512
6568b30033ff5c88cd148e28b86eb2529a8b48cac4d0efd26701750a257625bd86fc3d74e26667c54d3d3ba1f419e1ff558ecacfb2d08ca227ac5ed16c288a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejzyx.exe

Filesize
303KB

MD5
c3554c2ef3de9953bb9780f17cdc919a

SHA1
a40c5489b922812e7bc180b9dbc93cecae9a0870

SHA256
16a1c917d2e7e83d54d5503f6db1759e85ccb0d12ba1378edd1b86c425aa5921

SHA512
ef72571fbd0132953da9f7c3391c70f83edf89dc15fefd7c6680ef1eead98a477b5ff15c8b1e1b953b7756a5406d7ca89384a08182822124a33bbdd2b85d13a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d7e26ef21adfa051207459aab0071ef3

SHA1
672f5261e754b8f92257b0d99ffb0694c8a3d280

SHA256
97be8a6dbcf6e9bea0f6f6873e69b239be483889de902975e9899c31d8adfa0e

SHA512
aa751827d1b50028a759464e6b268e253d219c43484af758a37532242459c6f128c5f9c62fe0642b5598b7eb07e40cad95252006f8265052260acdfbf690b96a

Download Submit
memory/4028-0-0x0000000000BF0000-0x0000000000C51000-memory.dmp

Filesize
388KB

Download
memory/4028-15-0x0000000000BF0000-0x0000000000C51000-memory.dmp

Filesize
388KB

Download
memory/4868-12-0x0000000000C50000-0x0000000000CB1000-memory.dmp

Filesize
388KB

Download
memory/4868-18-0x0000000000C50000-0x0000000000CB1000-memory.dmp

Filesize
388KB

Download
memory/4868-35-0x0000000000C50000-0x0000000000CB1000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing