urelas | ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81

General

Target

ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
Size

512KB
MD5

ade6d6f7f467d686639210f197f53340
SHA1

dde698446fb9a96fa5fdd7dd496d2306c2d8c8a0
SHA256

ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81
SHA512

7658ab7f82c6080a3c43d185f84b68142765fa1679cb88c3def0dd8fec1b606f2dbdd263dbff78f48465e852bc22fc896ce9df48de8689e9c70976c12cd311e3
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo0:3MUv2LAv9AQ1p4dKV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	oqmyc.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	oqmyc.exe
2612	wutyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oqmyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wutyz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe
2612	wutyz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1500	4240	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	82
PID 4240 wrote to memory of 1500	4240	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	82
PID 4240 wrote to memory of 1500	4240	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	82
PID 4240 wrote to memory of 60	4240	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	83
PID 4240 wrote to memory of 60	4240	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	83
PID 4240 wrote to memory of 60	4240	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	83
PID 1500 wrote to memory of 2612	1500	oqmyc.exe	94
PID 1500 wrote to memory of 2612	1500	oqmyc.exe	94
PID 1500 wrote to memory of 2612	1500	oqmyc.exe	94

C:\Users\Admin\AppData\Local\Temp\ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
"C:\Users\Admin\AppData\Local\Temp\ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\oqmyc.exe
  "C:\Users\Admin\AppData\Local\Temp\oqmyc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\wutyz.exe
    "C:\Users\Admin\AppData\Local\Temp\wutyz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0ae46872747e9bb1c11a1237b624aac0

SHA1
4516b8b0ce75ea48913a3f113f80b50c47838d2a

SHA256
1114839d3fa80c1e35f79c4b5792ef15cad30f66f27e529516adb55b9b7de7a4

SHA512
055f99365ed6ff2dd3ae98befce7c337a49bb6fab9816099190c72f566d185df6264aebaf704551bebf0066a68c1453ae9f5334173502ad2e7e06c6208f55f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
924ed22237b1fdc54813a898842a1c31

SHA1
051acc17f4ec5dcbf46587e4505ab01729f76e8d

SHA256
bfe6ad7759232d3e775104e74664d20fed5f5089e20ad5f3e724c1e9d74f1608

SHA512
eb8c298d73e9c39d712e65495147a6fc71cd9df21492f45194388cfca1eaefd6d75f753f581612c0177c30807db6b3789e256de7c22614fa8f483ebff74477bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqmyc.exe

Filesize
512KB

MD5
e626b1257545186d661f3971e45eb5c0

SHA1
59ac64ef37fa58337a6678bfc40f405833e13e75

SHA256
cb72a5d822d35702be954343e8db9952ff1443d380aadfe37b94ca0c4c6e9602

SHA512
e7f869885066cd722c8e123033d8a06ee6dcb47d201d4e4823591a55f59ae14cf173e360e125748ea83bdc0459bf04bdf6439cf804917bdeeac162972e81d471

Download Submit
C:\Users\Admin\AppData\Local\Temp\wutyz.exe

Filesize
172KB

MD5
392601bda3a00baec967bd4a1b221e63

SHA1
8e318a295bfe616d67771319270771c3709870e2

SHA256
8aad34a1c523658494a27b885a6dfea4615e2e84caa9888736aa21f803fd8f92

SHA512
788330fffa65ce498fdd5feef923337bebdd986a22c7be0bbb00e7db9ef4796ea147a35a026a7ecaf39747990c2eba5ae27f0bf78ee09fcf86aa25cb3ba803f5

Download Submit
memory/1500-10-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/1500-28-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/1500-17-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/2612-27-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Filesize
8KB

Download
memory/2612-26-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2612-29-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2612-34-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Filesize
8KB

Download
memory/2612-33-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2612-35-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/4240-0-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/4240-14-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing