urelas | ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06c

General

Target

ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe
Size

337KB
MD5

74237201f106e1b4cc7f9bd57239a8b0
SHA1

2aea8f5cddddd1be438504ee9d5ca6fb9eb44014
SHA256

ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06c
SHA512

72418e15f92cae5bb31584ecf3f4fc4083e5af3bbda433b36232c9d68a61d003862921de8cf65a1a87d621af6173e63aa4fa887a9b6a632d4de1e705d4886f5b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciG

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	uhtoy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	uhtoy.exe
2136	lynud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lynud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhtoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe
2136	lynud.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2576	2784	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	82
PID 2784 wrote to memory of 2576	2784	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	82
PID 2784 wrote to memory of 2576	2784	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	82
PID 2784 wrote to memory of 1572	2784	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	83
PID 2784 wrote to memory of 1572	2784	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	83
PID 2784 wrote to memory of 1572	2784	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	83
PID 2576 wrote to memory of 2136	2576	uhtoy.exe	94
PID 2576 wrote to memory of 2136	2576	uhtoy.exe	94
PID 2576 wrote to memory of 2136	2576	uhtoy.exe	94

C:\Users\Admin\AppData\Local\Temp\ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe
"C:\Users\Admin\AppData\Local\Temp\ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\uhtoy.exe
  "C:\Users\Admin\AppData\Local\Temp\uhtoy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\lynud.exe
    "C:\Users\Admin\AppData\Local\Temp\lynud.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
68882864ef7a0652d0ab980c3626f862

SHA1
3e804be8a27b669258344f35d6d039ecec8aba5e

SHA256
cd8626fc2ac08bcacacee30b24394ba19bf1c913347beb12d61cbd456e83e86f

SHA512
5b785b861401053e21e06809eae1b53bbb40be44000e6b58fc210fe00676dec2a9b78e8f2fd84d957ba33a4d4b829d79052ae24b7bc0b5853b005d3a4957cd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9e922a97590c667ace3f5b0e023d8221

SHA1
f52c1e81d6c7b2b64e3b02d3c0dfff2cb3caefb8

SHA256
055b90fa4ed66226af3a2d6813135ee1dfb47db31f6dce34696f3db4fb291a2a

SHA512
b8d2574a06929a0a21d9d0807ae1635047dfab59be4dc86bf0f83320ed17fef66587c622a948bdae4a709cc7fd253ed6818a13191d1c06c9f1f3c0de1aff44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lynud.exe

Filesize
172KB

MD5
e2aacfac3acd0a8a4aa5ec55dcbcfa49

SHA1
11495c84f730359214859a5199c1f3b8213e45b0

SHA256
85b831ebc184e651dd96a754e092eb0a23f6fa94424bdeab0b5316edcc9d8851

SHA512
efdf20fa4d36ff42a0481844bdc1df3b0c866dd1259faec15419b64ee57816b28c5e94a44f4ae9bb1484049ecb4444d040b4ef945c6c160df02dbe44cf58cb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhtoy.exe

Filesize
337KB

MD5
563f80c65d6dfaed8cdc3ce50a523385

SHA1
83627be5467a2e008471875c25b532d1714d2d4b

SHA256
66c7dcbb530cd526ee7bc5298bec85c2f72c6d3a0157b35819a0cbe4b2e7d681

SHA512
21d22ae2e9c2cd82179751caeb7804bd2b3783b56b749c11f8138856c54a90d58bfc59054fbfecc3ac7efc049328d4646dc0438d9afa18005c935e6e95c242bc

Download Submit
memory/2136-48-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2136-46-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2136-47-0x0000000000C40000-0x0000000000C42000-memory.dmp

Filesize
8KB

Download
memory/2136-41-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2136-39-0x0000000000C40000-0x0000000000C42000-memory.dmp

Filesize
8KB

Download
memory/2136-38-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2576-11-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/2576-21-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2576-20-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/2576-44-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/2576-14-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2784-17-0x0000000000470000-0x00000000004F1000-memory.dmp

Filesize
516KB

Download
memory/2784-0-0x0000000000470000-0x00000000004F1000-memory.dmp

Filesize
516KB

Download
memory/2784-1-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing