urelas | ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1

General

Target

ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
Size

336KB
MD5

36d0dc1c7948e2aa55e3bda8294bd3c0
SHA1

9cf4e9855e98155b29ac017e374058c4c34c36b3
SHA256

ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1
SHA512

852412a2cd920486b664569765f39d71119785ceb8580888405e8858f0c6a8c8906b7f903a10607ad17d50674aa9d04af6819b3f976f7cb48887c9a71370f899
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKo1:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	yllyp.exe

Executes dropped EXE 2 IoCs

pid	Process
4784	yllyp.exe
5020	suowr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yllyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suowr.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe
5020	suowr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4784	4456	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	83
PID 4456 wrote to memory of 4784	4456	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	83
PID 4456 wrote to memory of 4784	4456	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	83
PID 4456 wrote to memory of 4888	4456	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	84
PID 4456 wrote to memory of 4888	4456	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	84
PID 4456 wrote to memory of 4888	4456	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	84
PID 4784 wrote to memory of 5020	4784	yllyp.exe	102
PID 4784 wrote to memory of 5020	4784	yllyp.exe	102
PID 4784 wrote to memory of 5020	4784	yllyp.exe	102

C:\Users\Admin\AppData\Local\Temp\ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
"C:\Users\Admin\AppData\Local\Temp\ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\yllyp.exe
  "C:\Users\Admin\AppData\Local\Temp\yllyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\suowr.exe
    "C:\Users\Admin\AppData\Local\Temp\suowr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b0c0e41b9e3e0128b1506ee4bf214213

SHA1
41bb14bf022701f64c79f9e8fb4f6707bebe3d85

SHA256
0896bc37715bbc89d61b1a0e1127c54168b21055fa6c344b58c003e18931251e

SHA512
bb399fb366376dd47279ac6d391c84b3819e8c34e64886869953c25f232168908082da1b9cdd379dc7f18600c3d976a35579e3856079ef15ee1d2b8ead16549f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d406e0ba84fc736acd5481a74728e459

SHA1
ae44f5e4aa37b8c450b649ff4fc79ef38ab9f9fc

SHA256
8350001408d5dd73b34db81d9e7e1125de021bd57b2b57afa0fc948a08ca7d3c

SHA512
5b1591c882705aa5394848f6194a345fab053dafa247ebb1916e8c741d8e2306b0e0aec043f6073062b9a8c86a22e621aeef75c19046a3e37b662c8892eaadc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\suowr.exe

Filesize
172KB

MD5
af9b4eb5e7880633aae164cc466d574e

SHA1
29d0bb04039f61a2add5d349f6a5c0e00197385d

SHA256
6845871b7b2d59ad920c8e6dc6cd36e9ac49ad3b9540e1cc169fbdc3e8b9ffce

SHA512
6f2a60d6a38cbb5d9f9f6e16f972fbc1e778619958852463c235088158b82cd353da2197592425e840e2a161baa7043c41a91d782bcda191eb7172d38cd08995

Download Submit
C:\Users\Admin\AppData\Local\Temp\yllyp.exe

Filesize
336KB

MD5
11b2dd56e9bb820d8caf39296c5f4398

SHA1
a9be9e7b974cc8d6717a66b6121daecdb9725168

SHA256
8914044608d456a49312bfe5aab66c114ff1f51d3cc85077f32e460b266a4cdc

SHA512
4dfba735be0444d240356eccd33ae88641ea92e8ad704f2713b19f0dd2422c6e3274c659ba25b34cb489065f72fcd155be753a5b8c70a5e13c33279d7ea2d6ba

Download Submit
memory/4456-1-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4456-0-0x00000000004F0000-0x0000000000571000-memory.dmp

Filesize
516KB

Download
memory/4456-17-0x00000000004F0000-0x0000000000571000-memory.dmp

Filesize
516KB

Download
memory/4784-20-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/4784-15-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4784-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4784-11-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/4784-40-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/5020-37-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/5020-41-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/5020-42-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/5020-47-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/5020-46-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/5020-48-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing