urelas | 9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf

General

Target

9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
Size

337KB
MD5

c1749cd7a60df883adf4d15377083478
SHA1

b89e18680af6018a480f4bb831a580be789711fd
SHA256

9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf
SHA512

3a29e2e822b263dd19fe1b2a10b25ffb75e0d4eb4c8e85d50e42ffed882b904a19266fe9d915a8cd62cdc9a42a61852e2426125e57db67951638824f4ceac33c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoa:vHW138/iXWlK885rKlGSekcj66civ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	pehev.exe

Executes dropped EXE 2 IoCs

pid	Process
964	pehev.exe
3668	qasyu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pehev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qasyu.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe
3668	qasyu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 964	4028	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	83
PID 4028 wrote to memory of 964	4028	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	83
PID 4028 wrote to memory of 964	4028	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	83
PID 4028 wrote to memory of 632	4028	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	84
PID 4028 wrote to memory of 632	4028	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	84
PID 4028 wrote to memory of 632	4028	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	84
PID 964 wrote to memory of 3668	964	pehev.exe	103
PID 964 wrote to memory of 3668	964	pehev.exe	103
PID 964 wrote to memory of 3668	964	pehev.exe	103

C:\Users\Admin\AppData\Local\Temp\9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
"C:\Users\Admin\AppData\Local\Temp\9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\pehev.exe
  "C:\Users\Admin\AppData\Local\Temp\pehev.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\qasyu.exe
    "C:\Users\Admin\AppData\Local\Temp\qasyu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b6e4312b24e36024f9be4452c1849b6a

SHA1
13008ddd8f6a8f27c9b38a96c06017f4eef6d296

SHA256
f194a95ff2a879a8730113c1f2f3cf570dee5d609713e04e63e7089378fc99e7

SHA512
be9bf5b9a124b14cfd5f4959382f3ce33eb2a26e9c2a6f5546be252974018f8df277e0917e0291d92fb86b695378050cd00aecf4fba97b8739794682f5c863f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fb01936f3bd904926174a1167c34bc11

SHA1
cd0b691b5e406fc4e018a6e628a5cd0c0d3ab803

SHA256
471503e534232f820279342c5aa09347f06b2f84cd043bebb5a5057b9fded490

SHA512
59640cd3713e1649aa63c6847ec8e83e9b08f596ad8f7241f562365fbeeb5a5fb8518caeb2f3b312778a1389a64598e878d1c9c117fa029a24e5de21cc42c038

Download Submit
C:\Users\Admin\AppData\Local\Temp\pehev.exe

Filesize
337KB

MD5
d70c271efa501fcb1c8d5cdc7534d124

SHA1
fe6f7832d26773c16fa93aa6d494b2d70428c5b2

SHA256
81934db0bfa6bd0ab7582bb1d70f9488a150785b843c9636380e8c8657467c41

SHA512
810a4fa664d3765e93d2d954c22ecb0577081f224259b4d88c66da78f9f4b5c2ef32a558ee31fba1cd969bb01f223543618c3756c0724dd63a1a257887900bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qasyu.exe

Filesize
172KB

MD5
3d9df09ca0bab48c3ad890f2c7140109

SHA1
7f27a4c9f087870d22732df77717d414b32e0d8c

SHA256
129564a786184f8a635a68831dd6913c7902086655909153e8a5e06461e9cc62

SHA512
0039f23d72abb7d468b7e978f6b75fc9940ca88ff16579f3c793babc270aa5209da854b91d2b9ac2dcbbfc8314c14447ccd547614165a462e014c02c8580cd23

Download Submit
memory/964-21-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/964-20-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download
memory/964-11-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download
memory/964-12-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/964-39-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download
memory/3668-40-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/3668-41-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/3668-42-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/3668-46-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/3668-47-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/3668-48-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/4028-1-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4028-0-0x0000000000680000-0x0000000000701000-memory.dmp

Filesize
516KB

Download
memory/4028-17-0x0000000000680000-0x0000000000701000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing