urelas | e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bf

General

Target

e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe
Size

336KB
MD5

264d6e40e3ec8e7a2f498e503f1c0600
SHA1

721743fc6ebafe6aa19eb6f7bd90cf336ad10afb
SHA256

e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bf
SHA512

b909bcda0fbebcd2d383ed5f7966954acab88858f8c920c0d4b2635ddd852457a2bf46878b97b798ed1722894ebdd9d1d6f8e88b7381ac0cf324cfcc7762f4ba
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcEc:vHW138/iXWlK885rKlGSekcj66cig

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wuure.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	wuure.exe
552	feyfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feyfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuure.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe
552	feyfx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2328	1044	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe	82
PID 1044 wrote to memory of 2328	1044	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe	82
PID 1044 wrote to memory of 2328	1044	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe	82
PID 1044 wrote to memory of 2524	1044	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe	83
PID 1044 wrote to memory of 2524	1044	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe	83
PID 1044 wrote to memory of 2524	1044	e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe	83
PID 2328 wrote to memory of 552	2328	wuure.exe	94
PID 2328 wrote to memory of 552	2328	wuure.exe	94
PID 2328 wrote to memory of 552	2328	wuure.exe	94

C:\Users\Admin\AppData\Local\Temp\e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe
"C:\Users\Admin\AppData\Local\Temp\e9d252e2f88acbdb94168255224d75ad0dd280b6a80f382d61be56cc173c48bfN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\wuure.exe
  "C:\Users\Admin\AppData\Local\Temp\wuure.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\feyfx.exe
    "C:\Users\Admin\AppData\Local\Temp\feyfx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e3cefe813af42936d8451f502211632d

SHA1
209d59c2c4afaefe766f23edcdae0166537a30a1

SHA256
157856986cba0de974eb035ef94bd102cc60f6188146d40232340e663a204451

SHA512
fdd4624aec91afecd4cd4d32ee9d501ef4aa4e48461d32ee35009e77edf36ad3c4c58618995d1900ffb7ebb831c9cb599b10e6010c23c7cf01599950cadc83f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\feyfx.exe

Filesize
172KB

MD5
e22361cac0a4034b2db0f98261128c2c

SHA1
7ef9791d218355d74944aaced8dd029afb6c5af7

SHA256
c51218a81212756f1f138c6d37598193a9e2bec8d7d906651ec117ea116c2c91

SHA512
09fa8c626f9448d14f897448fab13235c886e3555b7aeeced75a134ff15b63e32c16c99acf4fede2581bf9b2c57f33365bad74de113d389f82d85ee2e2c51696

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
052be3c2a761f44ce44c624142b84674

SHA1
a90ec5428b67c10f7868a1b3608b3e1b698966da

SHA256
2908d2c9d5fe2dd3e47db25af2ba858cd2e23c8e91f07b30c73d2c1e2a8f1b62

SHA512
77e354fd0cecb408ff2fd393553962963d734ac1f1ac9cd98cd8fc760545fdd15c82c9c29443a82d5b315099ef112733fd0cab68b2e8bfa451c4037a3d228674

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuure.exe

Filesize
336KB

MD5
1e5c26949df477aa74f4c6cc318aecb7

SHA1
5f590f8061be61587f284d18e921acd8f7c5e74f

SHA256
faa7c92ba2421ba70612851f1d0e1164ee825ed489b0ed03c4bfdd3b1939f138

SHA512
46bf21d8506b1a6ef1d3c35d3912a42aaede41031de83cad982934a7506a14b988d5ec879a018f634ce021c2388d6a49de84ecaded920326bbd9e1ab802f5fda

Download Submit
memory/552-47-0x0000000000600000-0x0000000000699000-memory.dmp

Filesize
612KB

Download
memory/552-45-0x0000000000600000-0x0000000000699000-memory.dmp

Filesize
612KB

Download
memory/552-40-0x0000000001290000-0x0000000001292000-memory.dmp

Filesize
8KB

Download
memory/552-46-0x0000000001290000-0x0000000001292000-memory.dmp

Filesize
8KB

Download
memory/552-37-0x0000000000600000-0x0000000000699000-memory.dmp

Filesize
612KB

Download
memory/552-41-0x0000000000600000-0x0000000000699000-memory.dmp

Filesize
612KB

Download
memory/1044-16-0x0000000000580000-0x0000000000601000-memory.dmp

Filesize
516KB

Download
memory/1044-0-0x0000000000580000-0x0000000000601000-memory.dmp

Filesize
516KB

Download
memory/1044-1-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2328-19-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/2328-39-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/2328-20-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2328-11-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/2328-14-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing