urelas | 47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f

General

Target

47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
Size

341KB
MD5

9e6a55c7bce3f2efc330ee91283aaac7
SHA1

243ff31193d7d2f618dbe4816e1c6b9a1fbf66b1
SHA256

47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f
SHA512

746aba37d81f1e00b91fadc38b7e8ea4738f3077ae3e030c611d958fcf90c0527bb6ee704e1881ba6510b1cf4ab8b71e70dcc990edbd6b68bd5e5700eab66fc2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYpDyZ:vHW138/iXWlK885rKlGSekcj66ciEOZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	uvbet.exe

Executes dropped EXE 2 IoCs

pid	Process
4504	uvbet.exe
4584	waywr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvbet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waywr.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe
4584	waywr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4504	3132	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	83
PID 3132 wrote to memory of 4504	3132	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	83
PID 3132 wrote to memory of 4504	3132	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	83
PID 3132 wrote to memory of 1040	3132	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	84
PID 3132 wrote to memory of 1040	3132	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	84
PID 3132 wrote to memory of 1040	3132	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	84
PID 4504 wrote to memory of 4584	4504	uvbet.exe	103
PID 4504 wrote to memory of 4584	4504	uvbet.exe	103
PID 4504 wrote to memory of 4584	4504	uvbet.exe	103

C:\Users\Admin\AppData\Local\Temp\47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
"C:\Users\Admin\AppData\Local\Temp\47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\uvbet.exe
  "C:\Users\Admin\AppData\Local\Temp\uvbet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\waywr.exe
    "C:\Users\Admin\AppData\Local\Temp\waywr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1afa40f14da4e6b164d9537bfc4e11da

SHA1
e0527778ccf6699e6f902875ea797f978ff8c423

SHA256
aa68e594027da4d021e4310d0a965ccea94d85312deb962a42223e8f784e9271

SHA512
146f30b0a11276d32be7638da1a572975830bdcff0ef38ffecdcf8b0ad5d6dbd175a13a30609772df180f2e8811e0598ce46a23c1bdb4c1388ce40f1286a713c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
907ece42ea1caee818bc3cc768bb4745

SHA1
ce1ddf915407b4270c239111e79eaf116537ba36

SHA256
03dec522ca3e11b902b4c86f1ec7946a1cf73a57eb648179e963811d2fce574b

SHA512
df34cd31c36e9ece994c715cafa57a69a5823bdc03df3e0e96739b31254783ee1fa43e39d61acd878ca9fd9d3d04de4595c42be2466fb926e5e593aeb2249809

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvbet.exe

Filesize
341KB

MD5
b05fc27685297ffd8c75d37b7efd946e

SHA1
2bf313eaf5886d82dbf58c39641c17daad37dfd6

SHA256
97e28e1f2836372aec70da75212bb17917314f060d64f085252c7d9e7101c4c4

SHA512
bc0a3d3338ac1301a898ab703ef19f21043820106bed9da7c52f19fa883f071d4aca251d9aee1e0f802605625c17a960b16ce2435ae3751bbb525c8e12b951d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\waywr.exe

Filesize
172KB

MD5
a1493f77b2fdf5d37c99672fa3acda69

SHA1
9daa0bb6582df253b4e9159fcec12c0c4cb6f61f

SHA256
2697e3c3ee4226592557abb3b122eea2dd6baa5741c7daf59b7b33fa496edbf1

SHA512
2c60c77e4172d2454c6f1d0413a987dfacd5e2dea426e4faaa35b890296078e12f1c6b75a31fd29aa08ac187bfeacd7105de6873295edebb44efb953429f2647

Download Submit
memory/3132-1-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3132-0-0x0000000000580000-0x0000000000601000-memory.dmp

Filesize
516KB

Download
memory/3132-17-0x0000000000580000-0x0000000000601000-memory.dmp

Filesize
516KB

Download
memory/4504-21-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/4504-10-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/4504-20-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/4504-14-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/4504-41-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/4584-38-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/4584-39-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/4584-42-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/4584-47-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/4584-46-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/4584-48-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing