urelas | a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4

General

Target

a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
Size

336KB
MD5

b45c2b558660b3980a3d28bd0a3e5d3d
SHA1

83c94266393e4acbac9c18e91a650ae358a78f99
SHA256

a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4
SHA512

6f53de692a3fcbaa8146411787f6654f1d6b64ba239f18a6cd1e132a75a3950c64f229dbe8ef7716f002877032de7d903dd84b63bd1ea4bd0e7174420f3b4774
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRQ:vHW138/iXWlK885rKlGSekcj66ci2i

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rymio.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	rymio.exe
3024	baqyf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rymio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baqyf.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe
3024	baqyf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2200	1348	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	85
PID 1348 wrote to memory of 2200	1348	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	85
PID 1348 wrote to memory of 2200	1348	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	85
PID 1348 wrote to memory of 3752	1348	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	86
PID 1348 wrote to memory of 3752	1348	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	86
PID 1348 wrote to memory of 3752	1348	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	86
PID 2200 wrote to memory of 3024	2200	rymio.exe	105
PID 2200 wrote to memory of 3024	2200	rymio.exe	105
PID 2200 wrote to memory of 3024	2200	rymio.exe	105

C:\Users\Admin\AppData\Local\Temp\a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
"C:\Users\Admin\AppData\Local\Temp\a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\rymio.exe
  "C:\Users\Admin\AppData\Local\Temp\rymio.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\baqyf.exe
    "C:\Users\Admin\AppData\Local\Temp\baqyf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e0be38d08ee74b109930690d08106b8

SHA1
329f116d83c325dc6acfa34e63e80c5801821f33

SHA256
c9d35c975cb0708f48ca9a61ed3ac06d4a150ba71127206813d62e18f20a5ef2

SHA512
774d9e0fa5768577a5ed33c607c50786474b794486e5094cac7d53e98014aa9cada813e0ec085d14e333f2acff85c5951d96d044f8551c7e2a17a4bd65b1b091

Download Submit
C:\Users\Admin\AppData\Local\Temp\baqyf.exe

Filesize
172KB

MD5
8218a667a120b7ba24d4582517bc5c66

SHA1
7b7673392b7ef5f5c6f4332b28380ebc7618db8e

SHA256
e1d5e827e71a3cea776bf40211b7a04fde2e7c680bc49d4b0aa90072f46beac7

SHA512
88f5156c06eeeb967949fb479754cb579d926459bce2f8d08a9fddce23fd467da2a48f61ff0b1ead077ffd6f516e8ec7bd985ae8efce2af0ef82882ae6ef8024

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
69194b3dc80ccab1722cdc7d3e120ef7

SHA1
a5029699a4aafcd26a586e7ca7e812edfef96c5f

SHA256
5cae5052f7b4d19a5601878785df8ee47f36ca0c4e29e531e89fa3d6f8fa570c

SHA512
cd295a885fcfe2fe67053e930d627172f66fd37968e235ae902526e91e0c3df4f5c2af9da2d8329e09fa4a793ab1084fd48491ea9e4e8ddf8296c8e73110f5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rymio.exe

Filesize
336KB

MD5
13aa304ac3951c9ae33e1041511b9a07

SHA1
81a7f3e4036ade474bb26ba45bb69837b6f18d38

SHA256
af01f48214b40fbb65bbb55afe4caf56f648840abb16fa30226037a94714498a

SHA512
22c19daf036930aaeb6591cf2629257e5a607a81b4695d2303754340982f16feadee0af2a4cc8c7109cbbdab1669d946820af101977098905d8e9d78823f2592

Download Submit
memory/1348-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1348-0-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/1348-17-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/2200-21-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2200-14-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2200-20-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/2200-13-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/2200-41-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/3024-39-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/3024-38-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download
memory/3024-42-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download
memory/3024-47-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/3024-46-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download
memory/3024-48-0x00000000003F0000-0x0000000000489000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing