urelas | 4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9

General

Target

4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe
Size

629KB
MD5

2636e72056b9ee9495548eb46a3a93d0
SHA1

9b5cda0964ceb190487911bab16225d5a4ee63bf
SHA256

4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9
SHA512

13b78f3360b657e0096e2c1e7b49e23d0a3470f4a04cb4a84a65ac3977a329e76751a3d7604ac4c0f9610036f124516315fe4d26a0ebdd57ead4672baa24066e
SSDEEP

6144:hmbmLppYOuakY1q5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupe10b:hma6id1Q8zzkGHVqoq/gI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	hiakt.exe

Executes dropped EXE 2 IoCs

pid	Process
2480	hiakt.exe
4904	honow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiakt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	honow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe
4904	honow.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2480	1256	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe	86
PID 1256 wrote to memory of 2480	1256	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe	86
PID 1256 wrote to memory of 2480	1256	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe	86
PID 1256 wrote to memory of 716	1256	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe	87
PID 1256 wrote to memory of 716	1256	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe	87
PID 1256 wrote to memory of 716	1256	4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe	87
PID 2480 wrote to memory of 4904	2480	hiakt.exe	93
PID 2480 wrote to memory of 4904	2480	hiakt.exe	93
PID 2480 wrote to memory of 4904	2480	hiakt.exe	93

C:\Users\Admin\AppData\Local\Temp\4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe
"C:\Users\Admin\AppData\Local\Temp\4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\hiakt.exe
  "C:\Users\Admin\AppData\Local\Temp\hiakt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\honow.exe
    "C:\Users\Admin\AppData\Local\Temp\honow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ab81a7cae5f3b4956a813b265151742e

SHA1
0912a00360776619b058187136f3d14420df14f3

SHA256
ca2f14247effbc1b52a50c0763ce0d180d482399ee8f485c185a9a41afc3973f

SHA512
ee0da9c1db68586c2d2a8b4bc8cecfd6cb6023445b38f1f765080c1438d09ed786493453fc16a62d070c8c375f0f0c1002e5ecc4027ed677c01116738abbcbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
50baac52e02beb87483916c1f570c9a5

SHA1
a7c19f6995814c94e8e66c7ac40e444e993154bd

SHA256
4ae109436a52770067626b0a361f5613467319067e404e6df737321959a721e3

SHA512
e912000292b2d62edfafb31c495d567751723703c44484a3adf3d5d9ab38ed2d61a9e0f50886e4fa659a14a04b161a4c2f14e93390f16b216a49982ce6179973

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiakt.exe

Filesize
629KB

MD5
c6116c0203cb5b3159507b541bb7473c

SHA1
5223b49024cce8b7f1af0cd7cc7890966c8229ca

SHA256
75ae2e58e927a7cc67e7985d9a491476ee175f9864efc99ff544abdb2a1b3c64

SHA512
f458aefde1d38a68dc2a8a470c4e0f3c40cecd1e889de389c9606e26cb38dd904ad5fcc33e8db5f20d616aa223585a68af4070bfb2fd667f7fa0a56a4a8b8726

Download Submit
C:\Users\Admin\AppData\Local\Temp\honow.exe

Filesize
203KB

MD5
8259f4cb5b72c4af3d736ba15ca06f73

SHA1
292acd44bd6532842ee0751b9a78f7439b6c2d38

SHA256
632e3f03aa284c2ea32cdf7e4007af3c025c86028c3af8b43ab6b2a48d46eda7

SHA512
ad372912146fbdd6979370e445e14ca9991712143d5e5143f7b37ba3f21d9336783fea15c952cc667b0515fe6995fe0035e175ec6c31d0c3acb0a1654aeb589b

Download Submit
memory/1256-13-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/1256-0-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/2480-16-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/2480-26-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/4904-27-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/4904-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4904-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4904-31-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/4904-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4904-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing