urelas | ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc

General

Target

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Size

335KB
MD5

a382b347737bdb4bd2bf3ac26c34ba03
SHA1

0ba6c6f58880260c32eb733350f7634eb245890c
SHA256

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc
SHA512

390d29133ae5d769573875024024140790154290d0db373ca0181129886c332627f98e574d44500ba768848882b9fe90e7cc8732f448b9574ae642852dffe6b2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV9MC:vHW138/iXWlK885rKlGSekcj66ciE9MC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	kyycw.exe

Executes dropped EXE 2 IoCs

pid	Process
228	kyycw.exe
3452	hiupz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyycw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiupz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe
3452	hiupz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 228	2820	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	85
PID 2820 wrote to memory of 228	2820	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	85
PID 2820 wrote to memory of 228	2820	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	85
PID 2820 wrote to memory of 2628	2820	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	86
PID 2820 wrote to memory of 2628	2820	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	86
PID 2820 wrote to memory of 2628	2820	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	86
PID 228 wrote to memory of 3452	228	kyycw.exe	105
PID 228 wrote to memory of 3452	228	kyycw.exe	105
PID 228 wrote to memory of 3452	228	kyycw.exe	105

C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
"C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\kyycw.exe
  "C:\Users\Admin\AppData\Local\Temp\kyycw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\hiupz.exe
    "C:\Users\Admin\AppData\Local\Temp\hiupz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2327ead2b68b0439df68905a99174378

SHA1
04ebca76b854ae1a856e304d4ec9486322779513

SHA256
7fe90d95840f59e20765937b8c0f56231ec0e3582bf3c4e53fff1ff527b6f3d7

SHA512
2e9f26a14e31b968995305e6464afe2625679b99e3aeb28dd1b218a2630e78b9c9e6ab32bd597a17ad55cda4cd24701e2c3a7ccbf48cd0b26fe4e75c439ce6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
72fa767b12a156627f252d127464d200

SHA1
9cdfb8cba9ab7c0b7ce5f332d67d657c996eded5

SHA256
15bd423825ecb790c7f32baf7fe580c5aef53a5a2524a6c99036eacb244901ac

SHA512
852966a765c0aea3067f34f75d45a269c5ef3f8c58214d9bad7e39ceded927dfd6aa8b5b4268931cec1c2b81c2da40d8c9b91cdea8f14a0199127e88084ab3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiupz.exe

Filesize
172KB

MD5
063bef68216606648cd422199127b22c

SHA1
bd2ce1a11ba1f869bbd4fa7201782fd1eefcbe60

SHA256
0d72c1a148b721f94c0190f5b532107d5dfce9ef916fb430ca0ca9b794a0a0fe

SHA512
06bb48b8ba61176fda6cb60fdc456f7d93dcaaa6954e19d7a3f19e7ee8e05902abaaf9d25521bcff90d330042db0f62bacd7a41d6dc2e2c0c952fa3621ef413a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyycw.exe

Filesize
335KB

MD5
85b4208dfa1d1a77985bd8995a737127

SHA1
eb3d2e319ca9b236f846c6cbc7b0659c0a08964c

SHA256
89d96aaa4f8e4ec5dc476b5e09e1bc106a885246f1727b08c75136f0e6b3fe17

SHA512
f5d3715eee571734e63c579391d18c68681004991fb132b9651b190c679ab6ccbe7ced8e064c2cd0ce987531fd8d03ce46a02d3a1d159103eada22f77cf55bcc

Download Submit
memory/228-20-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/228-13-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/228-14-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/228-21-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/228-40-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/2820-17-0x0000000000B00000-0x0000000000B81000-memory.dmp

Filesize
516KB

Download
memory/2820-0-0x0000000000B00000-0x0000000000B81000-memory.dmp

Filesize
516KB

Download
memory/2820-1-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3452-44-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/3452-41-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download
memory/3452-38-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download
memory/3452-46-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download
memory/3452-47-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing