urelas | 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60

General

Target

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Size

337KB
MD5

e6b76480839da7c11075198a296521db
SHA1

16ea461d8ccd09bda7f9535d24448bc46d897425
SHA256

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60
SHA512

3f0a99d13b9a77f0570f45c9be72c0e52ae34101de65924ee6091e2df8238c1e9e433453569b17ed8caa142fb603c3c163574a9f19063b0793a56665dc4fc440
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKCM:vHW138/iXWlK885rKlGSekcj66ciZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	icjiz.exe

Executes dropped EXE 2 IoCs

pid	Process
4464	icjiz.exe
1032	zypov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icjiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zypov.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe
1032	zypov.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4464	3212	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	85
PID 3212 wrote to memory of 4464	3212	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	85
PID 3212 wrote to memory of 4464	3212	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	85
PID 3212 wrote to memory of 3224	3212	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	86
PID 3212 wrote to memory of 3224	3212	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	86
PID 3212 wrote to memory of 3224	3212	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	86
PID 4464 wrote to memory of 1032	4464	icjiz.exe	105
PID 4464 wrote to memory of 1032	4464	icjiz.exe	105
PID 4464 wrote to memory of 1032	4464	icjiz.exe	105

C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
"C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\icjiz.exe
  "C:\Users\Admin\AppData\Local\Temp\icjiz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\zypov.exe
    "C:\Users\Admin\AppData\Local\Temp\zypov.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a0c488d232db3ca63d36e74b97204d55

SHA1
208d0c1a9151a12e595a11e8619232e6cd127acb

SHA256
11b4793224a20e7bd0c38fc6fb7fb81bbe7aee3223dc73ba80bcddd263054c05

SHA512
73a0f5565c767226837add0668e88825f0cc18b90859b32225eb5e5da5d93002c8a8cda5a01c07d8539e205e9ce393deb745a99c5e207409b88aeac4327721d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bd6848560efc13daf96389f4641e6f74

SHA1
e156dcaf9819e4736864503aca398d28093ac08e

SHA256
28f44c757fe3838a26f72165e4bee5ee8f546f87a16d4350cf51a23a51342abb

SHA512
6f94b3a8da7d2e6e62021bdac53dc87df3f3467f76bc4be6f3422d7ac7a299dccee6b10eb30b5f6c39a3f58dcf281b52db9a1901fb031c2daf5af69418d6d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\icjiz.exe

Filesize
337KB

MD5
0d041e1fa7b760c030735417b3c8364b

SHA1
4d5c8738eda933cddfcc3cac8f428601c393aac2

SHA256
2c8aff467638c34728dec89c13ef4a6a8e881d6400f70d37bfc9ff95b05657b8

SHA512
85548511854357d4d1f5b1f62930fe3ee1336a19e6233b90b50cf4a964c545d1490715afcbeb91254a64dd39e1e4ad40e1ddb0714225b4f1b2ca6f7b73773b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zypov.exe

Filesize
172KB

MD5
fa23400d29a9fc63b3cfae8e63d063b6

SHA1
731da8cbd982b4adb95c7707e4ce6184993ccaf1

SHA256
cda87af6cf4c12d81db72718fb89e5db02ea6ca44e6b2d456438f376576eee4a

SHA512
0516ec024c8d546dddd60548ac4cbd7417d3442dca936bf63db6983b9a91ab48b24379cf30d52dbe42c062c01df43840a50911e0eb054369a522a078c70e327f

Download Submit
memory/1032-47-0x00000000002E0000-0x0000000000379000-memory.dmp

Filesize
612KB

Download
memory/1032-41-0x00000000002E0000-0x0000000000379000-memory.dmp

Filesize
612KB

Download
memory/1032-45-0x00000000002E0000-0x0000000000379000-memory.dmp

Filesize
612KB

Download
memory/1032-46-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download
memory/1032-40-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download
memory/1032-39-0x00000000002E0000-0x0000000000379000-memory.dmp

Filesize
612KB

Download
memory/3212-16-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/3212-0-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/3212-1-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4464-14-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4464-38-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/4464-20-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4464-19-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/4464-13-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing