urelas | 64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10

General

Target

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe
Size

523KB
MD5

f63a21522ee20927dce21ac0ca16fd67
SHA1

6f641ba07f4f5489aeade99a87dc67ffa4b34c6e
SHA256

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10
SHA512

1a7cb6d0943d97560240b3652320e11dc01ae6d9f625dc45db233a3f2e8d18ec51c18734b0900452a6719c317075e122ec3f8cea5bb019a64918c4e8db43c58e
SSDEEP

6144:aGdLSOXVv/UfFP2OuNPo9oXZOYR26JAcn1GK8CpbVmQPnKAJMQ42CfDmZzcpbs:aGZSOXx/UdPEpn26Jtn11F59XTwmZP

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exewavux.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	wavux.exe

Executes dropped EXE 2 IoCs

Processes:

wavux.exegehed.exe

pid process

1832 wavux.exe
2452 gehed.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1528 2452 WerFault.exe gehed.exe
2096 2452 WerFault.exe gehed.exe

pid	process
1832	wavux.exe
2452	gehed.exe

pid	pid_target	process	target process
1528	2452	WerFault.exe	gehed.exe
2096	2452	WerFault.exe	gehed.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exewavux.exe

description	pid	process	target process
PID 5104 wrote to memory of 1832	5104	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	wavux.exe
PID 5104 wrote to memory of 1832	5104	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	wavux.exe
PID 5104 wrote to memory of 1832	5104	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	wavux.exe
PID 5104 wrote to memory of 4332	5104	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	cmd.exe
PID 5104 wrote to memory of 4332	5104	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	cmd.exe
PID 5104 wrote to memory of 4332	5104	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	cmd.exe
PID 1832 wrote to memory of 2452	1832	wavux.exe	gehed.exe
PID 1832 wrote to memory of 2452	1832	wavux.exe	gehed.exe
PID 1832 wrote to memory of 2452	1832	wavux.exe	gehed.exe

C:\Users\Admin\AppData\Local\Temp\64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe
"C:\Users\Admin\AppData\Local\Temp\64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\wavux.exe
  "C:\Users\Admin\AppData\Local\Temp\wavux.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\gehed.exe
    "C:\Users\Admin\AppData\Local\Temp\gehed.exe"
    3⤵
    - Executes dropped EXE
    PID:2452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 216
      4⤵
      Program crash
      PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 256
      4⤵
      Program crash
      PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2452 -ip 2452
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2452 -ip 2452
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3256c70f9911bde58da3b256ab7ca9f0

SHA1
c975fdc479150bd7c2cb8c8e618a3eb25e165510

SHA256
7d3a267d4ff5c05d414eef157986ad40e08afb388d29c0ca9992109247bb103f

SHA512
76c5d630f0553903c3c70dcff156b097812fad2f6b72459ab9949eac80d05c1a568af8569fcb4a4e1a46ba85cb21f2171a6fdd4bc137b594306f8b404caeb450

Download Submit
C:\Users\Admin\AppData\Local\Temp\gehed.exe

Filesize
231KB

MD5
176c546b097319516a20d492e0d0df63

SHA1
d703934fb3c3886a70200214f6638e61eee12eaf

SHA256
62d83cfbe9b49000cf82a2693b368541bc1634b82f0054bc3b7dcaeba3f6fe0d

SHA512
73a1e64ed4d68ab224bfd533d60227a62745b563af2c8ba3a4d346d12f538f9e928ae27684e1a6392d634fd04ee9ab7996c3754395a7bd9e5073c22f8fa9701b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3c711ae82c50645ed8a130fcceebbe4f

SHA1
2f0ef4ea8221aca775b8f00e941506aa7f179a29

SHA256
e800f78b48a069994acdb53aac83efcd76cda96423cbe49658ca3e0077b0c2b1

SHA512
0624123dcc6845ec2fca3f8331fccbca140a005cac8deed881b605874f235aafd68281f01524ffc01db552d59251c34507dc42ca0b4444ba85cc5ac13e6cdb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\wavux.exe

Filesize
523KB

MD5
7cf151379857e47c1006c6b40d4ddfcc

SHA1
1686f6d2ebdf14d13984fc7adb427896b601d425

SHA256
365d940880ae2c3120d31ee0ecb1419b10070ee0ff6dd0b60cb2790239ff8c02

SHA512
ec10aac75ed4dccedd5d975fec97d8009c6a93a174e6255d92b940a6a0c13c3da7edfc701d444847260032112728e77acd255fbde7b23585a847fded29ce638a

Download Submit
memory/1832-17-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/1832-16-0x0000000000D00000-0x0000000000D8F000-memory.dmp

Filesize
572KB

Download
memory/1832-20-0x0000000000D00000-0x0000000000D8F000-memory.dmp

Filesize
572KB

Download
memory/1832-38-0x0000000000D00000-0x0000000000D8F000-memory.dmp

Filesize
572KB

Download
memory/2452-37-0x00000000001C0000-0x0000000000273000-memory.dmp

Filesize
716KB

Download
memory/2452-40-0x00000000001C0000-0x0000000000273000-memory.dmp

Filesize
716KB

Download
memory/5104-15-0x00000000002F0000-0x000000000037F000-memory.dmp

Filesize
572KB

Download
memory/5104-1-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/5104-0-0x00000000002F0000-0x000000000037F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing