urelas | 867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475

General

Target

867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
Size

334KB
MD5

df6e60a4cbcb0faa1896dafa79456ec4
SHA1

0ce30fa510455d1760194695c392da1fc98b1bf7
SHA256

867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475
SHA512

d95c746b28cefa538321e321d032a365cc85f9281b89a60c32a9512087cfc87db939373d9477118f1e943b34eda8a0b6df8e8241522904e5913b8b9c235b03d2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lylol.exe

Executes dropped EXE 2 IoCs

pid	Process
3728	lylol.exe
1284	vysuu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lylol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vysuu.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe
1284	vysuu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3728	2596	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	82
PID 2596 wrote to memory of 3728	2596	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	82
PID 2596 wrote to memory of 3728	2596	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	82
PID 2596 wrote to memory of 544	2596	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	83
PID 2596 wrote to memory of 544	2596	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	83
PID 2596 wrote to memory of 544	2596	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	83
PID 3728 wrote to memory of 1284	3728	lylol.exe	93
PID 3728 wrote to memory of 1284	3728	lylol.exe	93
PID 3728 wrote to memory of 1284	3728	lylol.exe	93

C:\Users\Admin\AppData\Local\Temp\867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
"C:\Users\Admin\AppData\Local\Temp\867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\lylol.exe
  "C:\Users\Admin\AppData\Local\Temp\lylol.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\vysuu.exe
    "C:\Users\Admin\AppData\Local\Temp\vysuu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6649b6d4d8755191c1f70e65c96ac4ac

SHA1
6d86a5bae8d4343cf2130840adcd9ebdd2ddfa75

SHA256
e866af4db3ac056f2dda0cdd0f88a52449c8a154570d685ea6e8e7a8db068ad5

SHA512
88def5293ba16105fd6c273d0c330d095152d1d0d5021a5755165347e91d424e7215b323382c5d5e8cec37571a2f6304fd9e69f8b7968b9278e6b8f2cdd43681

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4870d2f76ca9b1197d4fd0ef3c4a0182

SHA1
b29592372a72751ca318f8120efe27de3f28273f

SHA256
642148cbe8cb10876662595ddde55df9cfb55eff0a828e31919f485bba554e62

SHA512
acd55a45aaca65b96074e9d818db93c3323e530878532c0d3ca306a08f1bf80c1f2e78ced093a2a1fd7fe2d0ac61262366b4ea18a2358bfcbec691bf242e16fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lylol.exe

Filesize
334KB

MD5
4f69e896a58c35a0b96b76e8f266821a

SHA1
21f4d0a978e200e17705a6779b468c77a553e389

SHA256
ce149d03489c928ccbdfad494f70e1d45274529fe1dfa20ef1d8805ec7432a83

SHA512
187f4e09fac8a51ffd220753c7c5ef32d8b44fcd57c990ebbb2ed1fd33be85ff03fcfd0afca4945db3d818dfb2dcbef2bea1701d8d935a9cb24b6a2adea1a496

Download Submit
C:\Users\Admin\AppData\Local\Temp\vysuu.exe

Filesize
172KB

MD5
1236ff2638e5cdfcdf8405de3020f731

SHA1
0b62e1843d73939f8efc514870812bcf3cb7f47d

SHA256
808ef4482e78ce9f19ff2b5f8ffc971472920e6b1c9e749ccfe3cb98c61dd5cc

SHA512
5acfc3bd9dd06f261ae110abb2169fdd821b21722255e1acab826d8e979424535b8fcb3d637657f33eff8976d2e99ce45120b88dd0f1893b5ef412002e659e9c

Download Submit
memory/1284-48-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/1284-46-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/1284-37-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/1284-47-0x00000000010D0000-0x00000000010D2000-memory.dmp

Filesize
8KB

Download
memory/1284-41-0x00000000010D0000-0x00000000010D2000-memory.dmp

Filesize
8KB

Download
memory/1284-42-0x00000000005C0000-0x0000000000659000-memory.dmp

Filesize
612KB

Download
memory/2596-17-0x0000000000370000-0x00000000003F1000-memory.dmp

Filesize
516KB

Download
memory/2596-0-0x0000000000370000-0x00000000003F1000-memory.dmp

Filesize
516KB

Download
memory/2596-1-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/3728-20-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3728-40-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3728-21-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3728-11-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3728-14-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing