urelas | d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede

General

Target

d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe
Size

337KB
MD5

04e240ee2f9ab0209ae9df67f16a2146
SHA1

8083458b4bd2c74384a9783b08c48811a27b2453
SHA256

d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede
SHA512

aa8a82c239411a05b134ba3aa6f74042b2fb6c98b7b3c984ebf48998a817ab01966c3a854248be1cb94f4b61391616d316de64f16c6de39c6c19b47be1ebf093
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVPR:vHW138/iXWlK885rKlGSekcj66ciEVZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	egpyi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe

Executes dropped EXE 2 IoCs

pid	Process
2028	egpyi.exe
1716	boiwn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egpyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boiwn.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe
1716	boiwn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2028	1624	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	84
PID 1624 wrote to memory of 2028	1624	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	84
PID 1624 wrote to memory of 2028	1624	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	84
PID 1624 wrote to memory of 4768	1624	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	85
PID 1624 wrote to memory of 4768	1624	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	85
PID 1624 wrote to memory of 4768	1624	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	85
PID 2028 wrote to memory of 1716	2028	egpyi.exe	104
PID 2028 wrote to memory of 1716	2028	egpyi.exe	104
PID 2028 wrote to memory of 1716	2028	egpyi.exe	104

C:\Users\Admin\AppData\Local\Temp\d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe
"C:\Users\Admin\AppData\Local\Temp\d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\egpyi.exe
  "C:\Users\Admin\AppData\Local\Temp\egpyi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\boiwn.exe
    "C:\Users\Admin\AppData\Local\Temp\boiwn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e631a28e907fdd992faf6b98e396d7e

SHA1
2ae635dd93ccb54d4fc3c477031ad55b71105f4c

SHA256
f0ec429b7ecf5fc7e9e23bd747228b181f6a8287b29a87fc67546999c870de70

SHA512
326bc571c95a108a75bc11b07e26e64f4261f2beefada101e9bc9b63d076e096c951dfd8c42593618c2d0a1a79d672123a2ab0496630f8c66c17003423ddd296

Download Submit
C:\Users\Admin\AppData\Local\Temp\boiwn.exe

Filesize
172KB

MD5
5933d14804e2bc5396e102fdb31247ad

SHA1
2a7c0829fdb3c08a03346ea933fc1b65464778c7

SHA256
560f0d4a127a5d68bb98cc47da4ba848761d3ed890044ef8e2168e6b1c55635c

SHA512
a0bdb3792b3801c04f50d1c6f178b8e2482bee42276df2e9f7864aa98aa4473d8ae34067877bd85c7e590916b2c5a9d74936d8940242a1427be79bd1695e5052

Download Submit
C:\Users\Admin\AppData\Local\Temp\egpyi.exe

Filesize
337KB

MD5
4e6f7638b5032c2566e8c6051a687f4e

SHA1
d1171fe6a02e22ec880223bbd218271634eb8b40

SHA256
37a45dd5cabaf8b9a7d619a694359c6ac1749306cbe1626664507b99936d2756

SHA512
29f532819748dd3ae662718df6a5659ad22a582ca291e1d7eafd78ece83c3db7b28815466a177b0d45f4b283eab08825765bb1a38236d00dc2d1465644e2104b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e17a6e6cdd34413ff75bb5251716b1e1

SHA1
a241d40171efa3493938db1a73d312e57e07f5b5

SHA256
569897744102666ee06df712c642e4f5f418d7faba35f8201eda7822682477bc

SHA512
634890df4704aa96222c25b5fb6265943532069ee93abe3d98b8ef6a7865e6b08d00da33f4394623d57c96e9c290a21959a52fd9520aa8e95bfe5238acad2251

Download Submit
memory/1624-17-0x0000000000D90000-0x0000000000E11000-memory.dmp

Filesize
516KB

Download
memory/1624-1-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1624-0-0x0000000000D90000-0x0000000000E11000-memory.dmp

Filesize
516KB

Download
memory/1716-47-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/1716-45-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/1716-37-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/1716-39-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/1716-38-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/1716-46-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/2028-20-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2028-43-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2028-11-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2028-14-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing