urelas | ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6

General

Target

ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe
Size

335KB
MD5

28b8654544104c69057653f470567020
SHA1

75c7d9aaf9238f5ea4a74e8a021380479b3db10f
SHA256

ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6
SHA512

87c67b343f56522958ba1f539f07ae4b403655f99beccafeb7cf03a6f1b540f18a0ea2941607029468fd1e6e81b2cdf3d63d3103aa25b6225d4fbca5ee7dbbd1
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrN:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	neleh.exe

Executes dropped EXE 2 IoCs

pid	Process
348	neleh.exe
2000	siuvy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neleh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siuvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe
2000	siuvy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 348	4500	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	83
PID 4500 wrote to memory of 348	4500	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	83
PID 4500 wrote to memory of 348	4500	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	83
PID 4500 wrote to memory of 1264	4500	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	84
PID 4500 wrote to memory of 1264	4500	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	84
PID 4500 wrote to memory of 1264	4500	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	84
PID 348 wrote to memory of 2000	348	neleh.exe	104
PID 348 wrote to memory of 2000	348	neleh.exe	104
PID 348 wrote to memory of 2000	348	neleh.exe	104

C:\Users\Admin\AppData\Local\Temp\ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe
"C:\Users\Admin\AppData\Local\Temp\ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\neleh.exe
  "C:\Users\Admin\AppData\Local\Temp\neleh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Users\Admin\AppData\Local\Temp\siuvy.exe
    "C:\Users\Admin\AppData\Local\Temp\siuvy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2ef22e5faadc14ff7a413d15647e3ca2

SHA1
04b748a9cb6cec12e0a723acad93b47e1e9db424

SHA256
5b30fda84897092fb8374c8f9f7af5dced96cea14b2f01725f54d88f159a7d4f

SHA512
7b0b17e6ae9b2f41b55cdb4dcd609dfe07128d2c8327448536ac3347f3295146fea26c224e0236954d2fa41841e23636d80390bcf66c43172482b9908b97046e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
60fa6f164a456bdc5e611fe2464b424a

SHA1
2221436f2982e5ad6841acbb52e25667faee78e6

SHA256
0208cb1daccac22e6592b183988c34c990d95f4809f619a7395d7c4ef35b8376

SHA512
c30ea85cd8d513de6863d755b66513f424576b7a3d7ecbf9e694c75f2b474c19448d82af0dbb76833f4077e6466536b93cd4a8fac08d8527a0bc93a807469a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\neleh.exe

Filesize
335KB

MD5
7ca60d5d4531739d4c8a504126369d7f

SHA1
3d6082fd2d2fcd63e5f7225550c4036909b49b39

SHA256
1455424975bd3f78916efe0aca54955e8f0707e4ba38f92eb50a44ac2018e484

SHA512
b9b67c89fd7155cd3c06404acd8add857fc663b8c171717b9d916ad2dd6dc5c9d9de3ea7b4322165d253dadd62a9ecad397097c6688131672ef870114df3f7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\siuvy.exe

Filesize
172KB

MD5
f676329643e3e588c2fe186a3ef3b6b1

SHA1
2c9fdc3385c5aa6828206c1e766221f6d5c75903

SHA256
8150953898d7d7b011eee6769294fbb712bbc88e5fc15bfd5aa8320475d365e7

SHA512
98bd67509103e8ad88f92e5a02c478306dab193808e84cfe24b351dcee543427f94bcdadafb50df48084bc5e3b821c5d35591df5c45a9be794b5fccf4be311bc

Download Submit
memory/348-19-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/348-20-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/348-14-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/348-11-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/348-38-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/2000-41-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2000-40-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2000-39-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2000-46-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2000-45-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2000-47-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/4500-1-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4500-0-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/4500-16-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing