urelas | dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4

General

Target

dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
Size

337KB
MD5

2ce6c45531d66440c0c8d873ea9fee60
SHA1

d1807d51421c176e6b59c7e401ccbf10e488fa7e
SHA256

dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4
SHA512

583805c1320b19ca44ba4e496d3ba068a0dc7a412f96a270d4a80d7a33b49040b03d8ca3065bdc8649f166d686fc54c07aa8a4238cc1dccf78ecd5bbd2a05c54
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoa:vHW138/iXWlK885rKlGSekcj66ciP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	yxyzn.exe

Executes dropped EXE 2 IoCs

pid	Process
4984	yxyzn.exe
4568	jydao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxyzn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jydao.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe
4568	jydao.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4984	2576	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	82
PID 2576 wrote to memory of 4984	2576	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	82
PID 2576 wrote to memory of 4984	2576	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	82
PID 2576 wrote to memory of 860	2576	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	83
PID 2576 wrote to memory of 860	2576	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	83
PID 2576 wrote to memory of 860	2576	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	83
PID 4984 wrote to memory of 4568	4984	yxyzn.exe	94
PID 4984 wrote to memory of 4568	4984	yxyzn.exe	94
PID 4984 wrote to memory of 4568	4984	yxyzn.exe	94

C:\Users\Admin\AppData\Local\Temp\dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
"C:\Users\Admin\AppData\Local\Temp\dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\yxyzn.exe
  "C:\Users\Admin\AppData\Local\Temp\yxyzn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\jydao.exe
    "C:\Users\Admin\AppData\Local\Temp\jydao.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
afa2643704a00f92eae795c03cd97c08

SHA1
8577ed73b7e16c5e9adc919b91d7904249548afa

SHA256
dbb261a200543e4a82ad4b487c626a6ed3f71f14d83af99079e1a047b6ad5e11

SHA512
0b490ce654b85303043a2e24e10814f70f172babc16cc0b2770c74e63e1068d0740700832629d4973da5cbce2d87d18cf42003744496bf2304049bdb9df6a06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
26aff1888c7ba05e6fe27c470c6cd71c

SHA1
1fa9d4e95499a3af870ce0ccd010e67dbf83eaf7

SHA256
848e5fadbeb15dbab30e916ec0f9ca96ae8446aa63141d18c6dbdd098c4e134b

SHA512
6d73448a2d132eb422d7cc40235ddca85a4304e285d81368f9be791e5e66d00f71fb98beec71004f0179efebd0abc08de295949e2f556742311f8702fdd47120

Download Submit
C:\Users\Admin\AppData\Local\Temp\jydao.exe

Filesize
172KB

MD5
13e254ae3175db498ab792bc28fddaaa

SHA1
f4f1ca636995afa78b40951a89a262265ca95775

SHA256
3653da7fe65d41223e92413c228a0201cc839d2bc45d25cdccdcec9b013d12a7

SHA512
06e1a295e8b02673d7bef510ed2e53e695b49426181a60dc0d1bfb09e22a5e4d1f16b50e07598ffafe857f503b9fc1a6a8bc5b88e0f8886ede3d21f825346a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxyzn.exe

Filesize
337KB

MD5
4294ea5ad3f2bdddea13b6fd803525bf

SHA1
ef75c3da585700694ce9ec7f52240634a23c6383

SHA256
238a3f8df6f9494393056416496ae3ce91cf09f15c37eddc24fb583d381bcc8b

SHA512
86f7515d5a18c98cc7027d8373e105a434c086e2b5eaaa3b9fe5553add7aaeebae8e76d20441e007fded55f9d8cd417c1d27b1a7b0843bedd4deb805af23d96e

Download Submit
memory/2576-0-0x00000000009D0000-0x0000000000A51000-memory.dmp

Filesize
516KB

Download
memory/2576-17-0x00000000009D0000-0x0000000000A51000-memory.dmp

Filesize
516KB

Download
memory/2576-1-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4568-47-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/4568-46-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/4568-38-0x0000000000F40000-0x0000000000F42000-memory.dmp

Filesize
8KB

Download
memory/4568-37-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/4568-45-0x0000000000F40000-0x0000000000F42000-memory.dmp

Filesize
8KB

Download
memory/4568-41-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/4984-14-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/4984-40-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/4984-20-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/4984-15-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing