urelas | 528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313

General

Target

528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe
Size

338KB
MD5

10e2fa8201897abe94ee8145b99d11a0
SHA1

e2621ba40292cd86e116ebc7901b2de8c60de459
SHA256

528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313
SHA512

f88c73f5a06bbb54424aa508f3891abe1ab015524aa858364cbf84d358bb630518db999db9b715ca2bfc700ce3568767f23eea3509044e4f234e5b251ac9ecea
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoJ8:vHW138/iXWlK885rKlGSekcj66ciT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	xavyp.exe

Executes dropped EXE 2 IoCs

pid	Process
264	xavyp.exe
1720	mupyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mupyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xavyp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe
1720	mupyj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 264	632	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe	87
PID 632 wrote to memory of 264	632	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe	87
PID 632 wrote to memory of 264	632	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe	87
PID 632 wrote to memory of 4600	632	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe	88
PID 632 wrote to memory of 4600	632	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe	88
PID 632 wrote to memory of 4600	632	528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe	88
PID 264 wrote to memory of 1720	264	xavyp.exe	95
PID 264 wrote to memory of 1720	264	xavyp.exe	95
PID 264 wrote to memory of 1720	264	xavyp.exe	95

C:\Users\Admin\AppData\Local\Temp\528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe
"C:\Users\Admin\AppData\Local\Temp\528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\xavyp.exe
  "C:\Users\Admin\AppData\Local\Temp\xavyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Users\Admin\AppData\Local\Temp\mupyj.exe
    "C:\Users\Admin\AppData\Local\Temp\mupyj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
7b071ac6037265e10c825e8e9bc3e7fd

SHA1
2a32815c173e776bf6924d4528af35e946a1f255

SHA256
5221050afb0f70db89a4d643ace6b3cf55767cd99757c1df997143cc9bd2ce03

SHA512
d1701eb5519014eaab6e472724fc83399121ff537ead521bff0dcdefac746d5bff690380063ba55373850a56134a46a8e5c19595a9e9cc7e91c2c58d0add1a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c72d799b536feb60481c828c776285e8

SHA1
e22ab4ef3a83548d7fca6231a0eb1c35276afb15

SHA256
09216808139e926a13ca7736fcf38660be341b874e7813983c8e6ef4065e6d49

SHA512
8ca393ae45eb4775bc7c09ebe53f2f1b174e3ed36b29893693e9e2b1267c8cfd9bb7d2f6ee419f7cfafb319f44599384d2d7da711dd45455c51983157b0786c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mupyj.exe

Filesize
172KB

MD5
952eebe7b6aa8fbbcdf2b916eb40bb7b

SHA1
85e6f75c2312fa4a94789ddd280b96275818b722

SHA256
9303bbbaa6eae5bac8ff7c691f1c703c5793ccecc1a8be17fbc1c2981ca0fe7e

SHA512
e7ecdf7a7b35fbe0a2a1f43327d055b51ed5b3019758c5ab34bbc91531c933e3441401efcd9b148e176bdcbd8a1f71fad7b100e50eb4ef6b604b065a48237239

Download Submit
C:\Users\Admin\AppData\Local\Temp\xavyp.exe

Filesize
338KB

MD5
6baff6d5c77e3f93b60d0c2fda36789f

SHA1
f6596f2b11f5981669f401ad4393b5a7d228ec30

SHA256
40671403e3dd410e31a69aece4c41ca8a3ad08643b43e4b972786f614ff4d0e7

SHA512
16849f9f4bfc44e1a0eb8bd647116623fbf12228feb4dba11324078133423fe1e79636363d53ea885f4e6b50f8973ec7c2e4df43a47890017d6fd843de5bd1a1

Download Submit
memory/264-20-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/264-13-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/264-11-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/264-40-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/632-17-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/632-0-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/632-1-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1720-38-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/1720-36-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/1720-41-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/1720-46-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/1720-45-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/1720-47-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing