urelas | 58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96

General

Target

58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
Size

335KB
MD5

f52d3281e69ae3ddbebd9a491f2e4510
SHA1

0cef681704c8587ef790d9912b2ee5050af93ca4
SHA256

58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96
SHA512

110deb3bbd9419f80df41a351a51072c7db02060c6ff9be197291a5494c50fa20b97fbe0ac4c7884f6aa9f9865bb2481d99a03bc80e4c5182fbfe9361453423d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIc8:vHW138/iXWlK885rKlGSekcj66ci/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	evqii.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	evqii.exe
4672	neutr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evqii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neutr.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe
4672	neutr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2336	2548	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	82
PID 2548 wrote to memory of 2336	2548	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	82
PID 2548 wrote to memory of 2336	2548	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	82
PID 2548 wrote to memory of 1672	2548	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	83
PID 2548 wrote to memory of 1672	2548	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	83
PID 2548 wrote to memory of 1672	2548	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	83
PID 2336 wrote to memory of 4672	2336	evqii.exe	94
PID 2336 wrote to memory of 4672	2336	evqii.exe	94
PID 2336 wrote to memory of 4672	2336	evqii.exe	94

C:\Users\Admin\AppData\Local\Temp\58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
"C:\Users\Admin\AppData\Local\Temp\58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\evqii.exe
  "C:\Users\Admin\AppData\Local\Temp\evqii.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\neutr.exe
    "C:\Users\Admin\AppData\Local\Temp\neutr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
bda9cc642d0f59b1fd4e0b61100d9fb0

SHA1
d7a795db88d5fe019a5420e8e4284443b5d6835a

SHA256
cee677f974869a541e96fb39b5174cdbdd4e09d8bc162c77347852da38767f1a

SHA512
6581143053bca038c2095e95522a10719e392fdd5320a4eeca0e996ca604b10f89b0be8f2fbd5607981e3e5d821cdc778b5fd3550a8145928092e72aa09272e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\evqii.exe

Filesize
335KB

MD5
a3f4d0de6e4689e7e0b0435c871637c1

SHA1
3526dda67235d5c9485e29e572f2861550e0355d

SHA256
63370763d2137e3e8e35bc04aa91f576c3a516306a6a3d0a9ac44e04414df5ce

SHA512
8ed3b52901931530cc4db7cba669c9c809a5b27e46fa82f977850b2723adb1ae2abe6e1f5a6974d063610e547cc5759b993aa238608379902b1058004a806cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8c107f63a484dcee38cae2cf4f77eef4

SHA1
317e658ea15fc2a05010ce38af52f68670457db9

SHA256
7479b364cc9cf1eef8c94a44ca01754967d80439242b9d2cdede8b14f26e50dc

SHA512
e22f9cc0fa8ff2ad2201058f21435bcc5bcd870f8da1a7f025d8eec72377f57caae831c104d5e7e72b8ce99541adf5574868006bf5228789110330ef7bd27dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\neutr.exe

Filesize
172KB

MD5
6ed43d20567f4393888b91308f270077

SHA1
c64e8eee787cbd95b54ab070deb87c8aec0be8ff

SHA256
3bab0f500c90d5ddf181a1bd165d4afdc5d2dccb35148a62db77f8d048b6e208

SHA512
21a7406e00b9b188f4c33ba166c76e630393b44f1a610e5c0f15d5d19b8e99fd7bd91cb8b442063560afddd06c583ab9d31da8ca34eee0319f1a20b8cffdc73b

Download Submit
memory/2336-20-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2336-13-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2336-15-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2336-43-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-17-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/2548-0-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/2548-1-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4672-39-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/4672-38-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/4672-37-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/4672-45-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/4672-46-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/4672-47-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing