urelas | d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d

General

Target

d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
Size

337KB
MD5

b3e04f64c052ce0a4066e6b823a0c14a
SHA1

551d1f5fddb0d3fd6305bcc205602b40b7d02503
SHA256

d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d
SHA512

832a304a2194587a2f6594031e2fd1b1e9c5eebe3c4304136dd9834820420daf84365e246d429f1079ca2dfe21aa55dda16a1f7351dc6ba56815c0d5ae6aad5e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYT:vHW138/iXWlK885rKlGSekcj66ciC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	vuefr.exe

Executes dropped EXE 2 IoCs

pid	Process
5032	vuefr.exe
2368	ufmyw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuefr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ufmyw.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe
2368	ufmyw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 5032	4828	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	82
PID 4828 wrote to memory of 5032	4828	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	82
PID 4828 wrote to memory of 5032	4828	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	82
PID 4828 wrote to memory of 3572	4828	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	83
PID 4828 wrote to memory of 3572	4828	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	83
PID 4828 wrote to memory of 3572	4828	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	83
PID 5032 wrote to memory of 2368	5032	vuefr.exe	94
PID 5032 wrote to memory of 2368	5032	vuefr.exe	94
PID 5032 wrote to memory of 2368	5032	vuefr.exe	94

C:\Users\Admin\AppData\Local\Temp\d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
"C:\Users\Admin\AppData\Local\Temp\d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\vuefr.exe
  "C:\Users\Admin\AppData\Local\Temp\vuefr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\ufmyw.exe
    "C:\Users\Admin\AppData\Local\Temp\ufmyw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
e46cf7e666d496b2bc96b11f748ea53d

SHA1
2009952e58300f07ce220f2af11d1cb47b8731dc

SHA256
4dab5a4d91f0f463ba842ae4165553d916fed59900c56ec48450186976a1249f

SHA512
206d489e0ba005e452c15d3d9fc9461b5c63960476254035081c334388bc4a31aa39553bc08d3f8fc4516a2f1e8be87f399d9dd8431376558406bb501d2d24d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5e0a91846280f1512ac2d26fbe29cfbf

SHA1
e214de0d38f341a5f2e74b9a5ce0dcb2bfcaf501

SHA256
7325e7eb6b23b8afe280e7dbc970714f9005d6e600117b363b2bd38a959b7316

SHA512
874cd58a701db54b7cb9bee1b02d15a94efd3b784498fcb33397e52e3ba45fe8ce57db248e880a4d71fc05f613ce257f0c22edbaa82dce5c3cbfb917098b0f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufmyw.exe

Filesize
172KB

MD5
85783ef41b0f2f3db0b3c839cf76ddce

SHA1
9fa956acb86c2798b7bd881f62f6f73649763f5b

SHA256
6be166de5a89ddf312cdab5aa17e6a90bc1342410d128a91049eff3f07b56b06

SHA512
c66f18b83a99d8e48ca3e5988b0646589358b97ce4784fc09e87c3a517adea9aca0914564a76989132950d294f2c1beb7e94c405a566c3c2fff049c9165a5022

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuefr.exe

Filesize
337KB

MD5
7a0d97e211e53f5b9408b9c60d70811c

SHA1
459c426bb941d4c0373bb192780caae6ebce210e

SHA256
25af583692983c33e70958ad79c2b407323f29b009098bf0214f50c32d87d992

SHA512
5d3a7288190e1c238e3c2e8fd8f2e394272690729ac291f1f4930342664e1722371677f0380d289e14d566addf72eeab2c0a51a82182290c032eeca1eb27f98a

Download Submit
memory/2368-47-0x0000000000360000-0x00000000003F9000-memory.dmp

Filesize
612KB

Download
memory/2368-45-0x0000000000360000-0x00000000003F9000-memory.dmp

Filesize
612KB

Download
memory/2368-41-0x0000000000360000-0x00000000003F9000-memory.dmp

Filesize
612KB

Download
memory/2368-36-0x0000000000360000-0x00000000003F9000-memory.dmp

Filesize
612KB

Download
memory/2368-46-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/2368-40-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/4828-0-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/4828-17-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/4828-1-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/5032-14-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/5032-39-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/5032-20-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/5032-15-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing