urelas | a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5

General

Target

a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
Size

335KB
MD5

04d68eaf478d47657476caf43d7285c0
SHA1

ce15233f41f268c12fb404dee0fd43278a8ea1a7
SHA256

a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5
SHA512

1ad03af4af901ca022b64a9d2e630219fc546afa72ee3ab978413b7cdb1c0cc651074b28bac870b1ba27e3b883e3d64524e33d63727403fdaabf090d500543e5
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cir

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dahal.exe

Executes dropped EXE 2 IoCs

pid	Process
5068	dahal.exe
1132	wyizu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dahal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyizu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe
1132	wyizu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 5068	3420	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	83
PID 3420 wrote to memory of 5068	3420	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	83
PID 3420 wrote to memory of 5068	3420	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	83
PID 3420 wrote to memory of 4284	3420	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	84
PID 3420 wrote to memory of 4284	3420	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	84
PID 3420 wrote to memory of 4284	3420	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	84
PID 5068 wrote to memory of 1132	5068	dahal.exe	104
PID 5068 wrote to memory of 1132	5068	dahal.exe	104
PID 5068 wrote to memory of 1132	5068	dahal.exe	104

C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
"C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\dahal.exe
  "C:\Users\Admin\AppData\Local\Temp\dahal.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\wyizu.exe
    "C:\Users\Admin\AppData\Local\Temp\wyizu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
c172a424cc00b26d4d85581ae514e7d8

SHA1
a7ecdb5ec063dac988c82b20d1f0a86b92614006

SHA256
5b527a29c060d697eec47886c68afd011769d9228bdd88908fe3830785e07fe3

SHA512
d84c0f57c681eea26dee174c9a60bbe3f7a1442ac30ce38b05e57fc9e4b94c44f208eaa2112f913be04cce8459aeb959a4990b3c002ad09803e8fb80fab5b12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahal.exe

Filesize
335KB

MD5
151395892f7efc5265fc4ffec79a46c4

SHA1
f13296fa493bcbc67ac308645f6972383f4806f2

SHA256
ef9a469fce77af704fe9690e96cda131b8d860f03d567f6afe2c26c990659e57

SHA512
48e75689e0addf71760b80782703fdf2fe886de3eb4db8a7a20ff6696995d9558d982f4669d32e9ab185367e55bd4b10578710f9a988c40c9621956630015c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
88641f8e713c756f3bf80fef94be37ad

SHA1
34e8ee51d2897cb7731c9cf7bbab0c6f32012bb8

SHA256
312f585965ad09b4550e7d370cc8f4f1ef697a10ff68876ad2bfd0900a2dff3c

SHA512
6da7b855c7ff5875548297854a66bb135a4cb7b822c5638ddddee628e5e74ce156ee798e6e0b17b581d09f919cd87f7479d5556e681b0374e091a5b2791a9daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyizu.exe

Filesize
172KB

MD5
21b8a05637dc4c1a11ef630d5650bc2f

SHA1
d1c628490a8d2f3556e70364a661c01df52fbc03

SHA256
d3863bae2d653ec4490a3242af887b5fdcd63a7d8847e7b79abe88eecdb6ae13

SHA512
858d0229e5095b8504dea73326a42b39d7bd71402cd35065ddf2810e6277749f8ec6df0570143421230368e3136ff7dd6e017c64a88edd408ad57731faaa3b8f

Download Submit
memory/1132-39-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/1132-40-0x0000000000CD0000-0x0000000000CD2000-memory.dmp

Filesize
8KB

Download
memory/1132-36-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/1132-44-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/1132-45-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/3420-16-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/3420-1-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/3420-0-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/5068-14-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/5068-13-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/5068-19-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/5068-42-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing