urelas | 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09

General

Target

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Size

438KB
MD5

b40e208afec48c1c8d1e41e87d015453
SHA1

56fedd2c3fa4b49bd550ef362180e8d7a26b334f
SHA256

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09
SHA512

f104219b752306fe690607f2d123dd2d1604d6b36257eaebe58696bbd2beb2454b32b20c7779ce2a24af083ec2cc1744fe3e53323448430e39d88be9ffed0316
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMM2:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	izzue.exe

Executes dropped EXE 2 IoCs

pid	Process
3840	izzue.exe
2016	xiyxo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izzue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiyxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe
2016	xiyxo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3840	400	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	82
PID 400 wrote to memory of 3840	400	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	82
PID 400 wrote to memory of 3840	400	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	82
PID 400 wrote to memory of 4512	400	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	83
PID 400 wrote to memory of 4512	400	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	83
PID 400 wrote to memory of 4512	400	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	83
PID 3840 wrote to memory of 2016	3840	izzue.exe	94
PID 3840 wrote to memory of 2016	3840	izzue.exe	94
PID 3840 wrote to memory of 2016	3840	izzue.exe	94

C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
"C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\izzue.exe
  "C:\Users\Admin\AppData\Local\Temp\izzue.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Users\Admin\AppData\Local\Temp\xiyxo.exe
    "C:\Users\Admin\AppData\Local\Temp\xiyxo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
18cf1d671fe761828e90f702d62429ba

SHA1
e2bde96e97376e360e63107ca7c97bae293545ca

SHA256
a84a755ffdbdaa156ddb7f8143e74d3f64e00de1c01cd0382c38a9b6eae0ad77

SHA512
42a26336d3c0c1184ad03c2987e18f331205a5df82babfbe4d13fa198066ca4bc8ee26543e3963878cb95a59191d8c477a3a975e0c8ea0cb2b31b24fa1202282

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b106071b603a21628ef84647c1a3b449

SHA1
ae69f2eb29ef46c8ff782b318bb7de2a1944f1ee

SHA256
5e6942d38ff0508aedb5432faba8f7f4fdda9b20ab0648a0257557e6744619d4

SHA512
a1f48973fee58d7243ce9b7fe07ceb39b2ac18eb77bc6d67e7d9e1b81922c0d125503686b373d346d6fb7769693043ea140a3f1bc518c5f73828d8dec9d0eb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\izzue.exe

Filesize
438KB

MD5
a2755490039d9635c2a03e3d15bc3821

SHA1
15b24b86c4ff3e42a6a40b13428e18bea5e7d08b

SHA256
fd1d9613c8f3dd9d111db6752020c5614e632a84ca3a50b0d963fa1c237f083e

SHA512
95631c6cb70e8d477f81dc70f7782846ba967005e7e1ff04e39d17a1d9341d9d7681fa55e9fcac9bb2483dcbc30f13e4f1884dffb5d01b53f723d73c1956b38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiyxo.exe

Filesize
230KB

MD5
393a972114013534565451ec020bda9c

SHA1
be2db93ff64a6488ee0c0a9a65f8a0698553e741

SHA256
714885ecbb41780de8cfb3b6617569f2015c1e15ab4e97b32647ff57e4d6aacb

SHA512
7d855a1bb08534f2bece89d19e6e51283e69ce62f48f46f8a494393399936c00e9b79ef8cd0bf7419651dcb8ab5754fdafed673c6433684f97fa4379bf9bf3f5

Download Submit
memory/400-14-0x0000000000B60000-0x0000000000BCE000-memory.dmp

Filesize
440KB

Download
memory/400-0-0x0000000000B60000-0x0000000000BCE000-memory.dmp

Filesize
440KB

Download
memory/2016-30-0x0000000000BD0000-0x0000000000C6E000-memory.dmp

Filesize
632KB

Download
memory/2016-32-0x0000000000BD0000-0x0000000000C6E000-memory.dmp

Filesize
632KB

Download
memory/2016-25-0x0000000000BD0000-0x0000000000C6E000-memory.dmp

Filesize
632KB

Download
memory/2016-31-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2016-28-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3840-17-0x0000000000030000-0x000000000009E000-memory.dmp

Filesize
440KB

Download
memory/3840-27-0x0000000000030000-0x000000000009E000-memory.dmp

Filesize
440KB

Download
memory/3840-10-0x0000000000030000-0x000000000009E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing