urelas | 419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516

General

Target

419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
Size

629KB
MD5

65bcc6d98ef06f7a05fa1e6071bd4b7c
SHA1

4c9886823fd7909cb9e4bc4f1fec0a7727333613
SHA256

419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516
SHA512

091cbdd872abad97c056fe26b2787ea130ad98d3a2a10319587ab15c1ff0107b84065cf557e9a5642132b4192b83c3c8c45b3234e589386e6f7d9a78a0a4f6bc
SSDEEP

6144:hmbmLppYOuakY1q5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupe10L:hma6id1Q8zzkGHVqoq/gI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	ecbil.exe

Executes dropped EXE 2 IoCs

pid	Process
4392	ecbil.exe
3088	pixyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pixyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe
3088	pixyj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4392	3636	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	86
PID 3636 wrote to memory of 4392	3636	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	86
PID 3636 wrote to memory of 4392	3636	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	86
PID 3636 wrote to memory of 3656	3636	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	87
PID 3636 wrote to memory of 3656	3636	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	87
PID 3636 wrote to memory of 3656	3636	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	87
PID 4392 wrote to memory of 3088	4392	ecbil.exe	92
PID 4392 wrote to memory of 3088	4392	ecbil.exe	92
PID 4392 wrote to memory of 3088	4392	ecbil.exe	92

C:\Users\Admin\AppData\Local\Temp\419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
"C:\Users\Admin\AppData\Local\Temp\419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\ecbil.exe
  "C:\Users\Admin\AppData\Local\Temp\ecbil.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\pixyj.exe
    "C:\Users\Admin\AppData\Local\Temp\pixyj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
90ecf04d76a514f09e375302d375342e

SHA1
aad04c4559360c6e7264268c75601ff1a11e9a13

SHA256
d30dbb60eabe6a7995ece1c84b231146bee35bf630efd75368c4b4324dea9f3a

SHA512
fe54a57e4cad4eb33af351c10ad3b416df41c8ece60ea47d84933599a285569bed19eff0610eb02813e2eadd8e1528afbda6e207948f19443f48513a504a7062

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecbil.exe

Filesize
629KB

MD5
ffd515348d4b8bbc2585b38a1adfc6bd

SHA1
4a884d150716a9204d909a812e492d72e8c5e576

SHA256
3a0c282bbdb11bdc43a7fa92aef7b525f799e5aa7cb8941ad5473e605add509c

SHA512
8d2a7f9eefe9c612d720ff457d792c27859bb914bb5f663e883c28b07e0e86e1a3d5ce860641d795fa5f5b8cdac3c76fa4ac8c541c2ecfa13962afb18b350f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
54edf5f2b5b4a881742bb639fb7952d7

SHA1
e48d88c0b9718cf48d315a242fc120d3fd4408ee

SHA256
54d4f9cad77baaeb92178e10eb132556c4e604b8bb3ff2e7be4dff2ef49a51de

SHA512
86e1af6ed870ac6953f2c75e265f51b8f942444cdd19e0e848f84a5fd572b8832cba3a36fceb9189d4ab8ee529c814999b1e57346c5992ad608496ba64dda854

Download Submit
C:\Users\Admin\AppData\Local\Temp\pixyj.exe

Filesize
203KB

MD5
d1b797a249c59699f35436a489421094

SHA1
be99ed9b408d6c0491f6306e204112d3f6fa0c43

SHA256
1e14482af9cbb607bf19a26d901a9199e8f25cf2ded9542f8266de90a5856773

SHA512
ab924c978f5fc571dc3277335fcbacc1c7d3776d023f15947cb763bbea0c8de6b33124e50bc4883c978d0286da050f2ec484839681e117de9e6a67f53a168867

Download Submit
memory/3088-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3088-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3088-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3088-31-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/3088-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3088-27-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/3636-14-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/3636-0-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/4392-28-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/4392-17-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/4392-12-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download

Analysis

Sharing