urelas | 0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846

General

Target

LisectAVT_2403002C_34.exe
Size

432KB
MD5

be542e225b5a041f7d228b4b6c4936e8
SHA1

8bf87c7d0767461084254004be228d4297bbeafb
SHA256

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846
SHA512

f9b612dc7fd67aeaedea9c500c2e05a5269642a8139c4aed5cc49db31f8cb3ee09ce99df2ff43a260747a1d031d45899a10be77db9bcd7f6c9ed5e5a903e82fa
SSDEEP

6144:L8efQ6QPJGcLbjg0CutsGH+revgLIAP1fXo1EZH:C6QPJGcE0SGereYdPc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LisectAVT_2403002C_34.exeokawp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	LisectAVT_2403002C_34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	okawp.exe

Executes dropped EXE 2 IoCs

Processes:

okawp.execoluk.exe

pid process

2636 okawp.exe
4388 coluk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2636	okawp.exe
4388	coluk.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002C_34.exeokawp.execmd.execoluk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002C_34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okawp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coluk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

coluk.exe

pid	process
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe
4388	coluk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LisectAVT_2403002C_34.exeokawp.exe

description	pid	process	target process
PID 2000 wrote to memory of 2636	2000	LisectAVT_2403002C_34.exe	okawp.exe
PID 2000 wrote to memory of 2636	2000	LisectAVT_2403002C_34.exe	okawp.exe
PID 2000 wrote to memory of 2636	2000	LisectAVT_2403002C_34.exe	okawp.exe
PID 2000 wrote to memory of 4344	2000	LisectAVT_2403002C_34.exe	cmd.exe
PID 2000 wrote to memory of 4344	2000	LisectAVT_2403002C_34.exe	cmd.exe
PID 2000 wrote to memory of 4344	2000	LisectAVT_2403002C_34.exe	cmd.exe
PID 2636 wrote to memory of 4388	2636	okawp.exe	coluk.exe
PID 2636 wrote to memory of 4388	2636	okawp.exe	coluk.exe
PID 2636 wrote to memory of 4388	2636	okawp.exe	coluk.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_34.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_34.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\okawp.exe
"C:\Users\Admin\AppData\Local\Temp\okawp.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\coluk.exe
"C:\Users\Admin\AppData\Local\Temp\coluk.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
254B

MD5
e70ee80c0f2bf9e1af3757bdafb0e53a

SHA1
6bbc03cfdf16f136820dc2f08e66c959846fe561

SHA256
7d4cccbc5231115d05ffde2115371bfdcf9ff5ae9fd296011025b247c93c5b53

SHA512
82aa96f69a628a0f06f040eba59ccea75a53874553c2481440b41644512ef9328982ee5f8a8f065007ef80a3a1158d85d12eb5056f58821a7d82101851d2e6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\coluk.exe

Filesize
291KB

MD5
25fc7b7a1efc3730e3701dbdd97209fa

SHA1
98b9dd3915f57878eafa0fccfe0a18dc9ab10a24

SHA256
44c2702ff2368207889f4709ca21c7372012260d79372a913cda009501ed1350

SHA512
2d8783356255ab40484baf43595d0c8f3c0079ec62ae18bf9ee692eba29edc71826cf2de3b8f2353123fc7dbb344c4f019bafbfd1450106954bac85886a0ba38

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a9f7cd82b997ba2381111f2a207caf3a

SHA1
d06d04365472812f0d2b5613e888511fdcfe7989

SHA256
bc638f84235e14f043cad46f5a68d9f1b11cf022d6995fe64de2213b11203806

SHA512
8b8e77cad5ccf206791ec2214b270d35909a25fb477e321c9cbf03baf2a0b85ae5fc189cfb2c36a6867c7e337917f036ed7ff26d5742c36b820372d245baa08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\okawp.exe

Filesize
433KB

MD5
bd3f908a0e4e20dfd48077a0b0bbe9ab

SHA1
00464d6c81f08e60584962304ae40680a6f90cc1

SHA256
24a8bcf6e2a4cf54148d7a7f23695de905d3a230157daab894d0580ef3c10cc6

SHA512
1900d42ac52e2629b730543e030b18eaa0a164c2e4ff01d362b6837200da5a1f9a74d66d34e18c9494299a8aec2dec7fac6b88a690e5936ff65a7638358b3503

Download Submit
memory/2000-0-0x0000000000700000-0x000000000076E000-memory.dmp

Filesize
440KB

Download
memory/2000-14-0x0000000000700000-0x000000000076E000-memory.dmp

Filesize
440KB

Download
memory/2636-12-0x0000000000A80000-0x0000000000AEE000-memory.dmp

Filesize
440KB

Download
memory/2636-25-0x0000000000A80000-0x0000000000AEE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads