urelas | 97f4f39071a20093e621287cffbbc68908917a9aeb64449fcead651349e857db

General

Target

3cbd44e687e23737a34fae51d7ef51cc.exe
Size

446KB
MD5

3cbd44e687e23737a34fae51d7ef51cc
SHA1

8bfbbf8f20ae6c719ada1e44adcfb69a27998b40
SHA256

97f4f39071a20093e621287cffbbc68908917a9aeb64449fcead651349e857db
SHA512

2efd9dd11186a4f67c94aaff35f80f5b6564a966c09eb0e9eee2a7058717a1c17d4bcb30ff06983c4a66766dd945349568fbdfe25660d13802b82be9b18a4878
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOp0:PMpASIcWYx2U6hAJQnJ

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	3cbd44e687e23737a34fae51d7ef51cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	pudin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ywwomy.exe

Executes dropped EXE 3 IoCs

pid	Process
3976	pudin.exe
4992	ywwomy.exe
2864	nagus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe
2864	nagus.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 3976	1144	3cbd44e687e23737a34fae51d7ef51cc.exe	95
PID 1144 wrote to memory of 3976	1144	3cbd44e687e23737a34fae51d7ef51cc.exe	95
PID 1144 wrote to memory of 3976	1144	3cbd44e687e23737a34fae51d7ef51cc.exe	95
PID 1144 wrote to memory of 1508	1144	3cbd44e687e23737a34fae51d7ef51cc.exe	96
PID 1144 wrote to memory of 1508	1144	3cbd44e687e23737a34fae51d7ef51cc.exe	96
PID 1144 wrote to memory of 1508	1144	3cbd44e687e23737a34fae51d7ef51cc.exe	96
PID 3976 wrote to memory of 4992	3976	pudin.exe	98
PID 3976 wrote to memory of 4992	3976	pudin.exe	98
PID 3976 wrote to memory of 4992	3976	pudin.exe	98
PID 4992 wrote to memory of 2864	4992	ywwomy.exe	115
PID 4992 wrote to memory of 2864	4992	ywwomy.exe	115
PID 4992 wrote to memory of 2864	4992	ywwomy.exe	115
PID 4992 wrote to memory of 2068	4992	ywwomy.exe	116
PID 4992 wrote to memory of 2068	4992	ywwomy.exe	116
PID 4992 wrote to memory of 2068	4992	ywwomy.exe	116

C:\Users\Admin\AppData\Local\Temp\3cbd44e687e23737a34fae51d7ef51cc.exe
"C:\Users\Admin\AppData\Local\Temp\3cbd44e687e23737a34fae51d7ef51cc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\pudin.exe
  "C:\Users\Admin\AppData\Local\Temp\pudin.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\ywwomy.exe
    "C:\Users\Admin\AppData\Local\Temp\ywwomy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\nagus.exe
      "C:\Users\Admin\AppData\Local\Temp\nagus.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
d2ab0b21aeb6535e08da7bb1bac01240

SHA1
bef75b4ad97769089b4ac539e04b53d758252f90

SHA256
a3c4377f9c17447904c5512a3b4a87e0cc72b373022f24325b6c300fedfe57b7

SHA512
4fd28c77b7cab11e06da8721c509825d97486a76da0a1895ab902f71c06534e02f3b938eba03dfa3ca5fe739d29ff63915cda57913f38ff679ad1e1c54a526d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b027c82923f94ae040012e526e5c43b8

SHA1
5f8b9a6344d72d81539012bf075d0b069a09bd97

SHA256
4e76706c18504e5836e83598cf2f1ccca70898ae1892ed2e4d5cb76cf5aeddaa

SHA512
733d9a7c5519e6f17ec87240fdb74b566e58e431d041c1b83ea36767355d75382066cf1b17f2eb40c846e16b1c7e0cfcd2f4980547249666d49fdafef9d02f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2045206bb04c94b5a8d51408a95b9c99

SHA1
9983148c69e2017e3ceb1d2177c951fe747e527b

SHA256
ef7b000064994f23da682464680cd7a219737ab3135b1b0092b8b44364a3595e

SHA512
81fee1c356333bc46a2f45fd52083b343de77a2e26f8074605c54e0861956d1ac8a6ec15c2d3d63e617766c63084a8dd8ee880124d3abb962e0745db54e05695

Download Submit
C:\Users\Admin\AppData\Local\Temp\nagus.exe

Filesize
223KB

MD5
ca65915d8289be88c2b0cd418d008a8d

SHA1
9da4488d0cb39dd0096b095781f9e75ac03e079e

SHA256
9a6e6ec353c0b6550d9ffadcd333ef46b02816e3e5c724a2a225d068630683dc

SHA512
d931818e81759014caeeeafdd10c7ffa499c913e6aef0f4153792f25bde068afd870e52ea04b610fae754b5df47e86b95078b2ca26654a54dae752076ab1aec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pudin.exe

Filesize
446KB

MD5
d6e3919043e53c1c10983887b680553c

SHA1
d71cfd8ae2babbb95e1b9b226425fd642bbc09bd

SHA256
c861bf1c386c026963821bd372b954672e336aba830f831e6d59100724690d5f

SHA512
a173b43d67598d5f0b88b1ac968fc8a88a57ea2611a15a93fa053cd43d498953c438549c94fe36e8154ab724bbb17ec6707f4f024b380b247066f4b4ad42caf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywwomy.exe

Filesize
446KB

MD5
3eef16fce11044c3cc83165a11cc1a45

SHA1
da6bf9c468ae1a48358e58eb7c4767a25360ed15

SHA256
482dde4523ac24697d6dac1e5bf0922fa320d310915696832c74e54812951493

SHA512
20e1d06ee2472930ac8edede6da79dd395b6aa249bb8e8ffee176695cf127ce4102a5d381e048afffedc2423268d7d2a08e16d7b3f1451d629c88dd4cd4f4bae

Download Submit
memory/1144-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1144-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2864-37-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-35-0x0000000000240000-0x00000000002E0000-memory.dmp

Filesize
640KB

Download
memory/2864-42-0x0000000000240000-0x00000000002E0000-memory.dmp

Filesize
640KB

Download
memory/2864-43-0x0000000000240000-0x00000000002E0000-memory.dmp

Filesize
640KB

Download
memory/3976-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4992-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4992-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing