urelas | a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106

General

Target

a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe
Size

324KB
MD5

7b2d755611b8854aaa6e9456f5eb0185
SHA1

1c4cf067c3663d72a4cda2a4d747f069c9550613
SHA256

a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106
SHA512

1578a794705e829592bab54efc6017a6bce6621c52fc16a4ad2a763efa0987961e5e2210d3181a96b543b74c71d335d24861e82c7c33f6f7f82b422dab380d1e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66ciH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exefukih.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	fukih.exe

Executes dropped EXE 2 IoCs

Processes:

fukih.exebofoo.exe

pid process

1204 fukih.exe
4792 bofoo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1204	fukih.exe
4792	bofoo.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exebofoo.exea1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exefukih.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bofoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fukih.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bofoo.exe

pid	process
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe
4792	bofoo.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exefukih.exe

description	pid	process	target process
PID 5080 wrote to memory of 1204	5080	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe	fukih.exe
PID 5080 wrote to memory of 1204	5080	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe	fukih.exe
PID 5080 wrote to memory of 1204	5080	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe	fukih.exe
PID 5080 wrote to memory of 3108	5080	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe	cmd.exe
PID 5080 wrote to memory of 3108	5080	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe	cmd.exe
PID 5080 wrote to memory of 3108	5080	a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe	cmd.exe
PID 1204 wrote to memory of 4792	1204	fukih.exe	bofoo.exe
PID 1204 wrote to memory of 4792	1204	fukih.exe	bofoo.exe
PID 1204 wrote to memory of 4792	1204	fukih.exe	bofoo.exe

C:\Users\Admin\AppData\Local\Temp\a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe
"C:\Users\Admin\AppData\Local\Temp\a1d1c96ddc5f56c07cee63e979b738e3dcf70fcedfbeec06831caea904aa1106.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\fukih.exe
"C:\Users\Admin\AppData\Local\Temp\fukih.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\bofoo.exe
"C:\Users\Admin\AppData\Local\Temp\bofoo.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1f61024c28bfec2176a5110eef460b28

SHA1
088da046d0623c4bd348396430d4336b3c951dcc

SHA256
25d2cb9feb7fff589cc68f3c448685382cd0cbc26cfb2d393f2de2898491e090

SHA512
654f82a87c06dea960ea63c96e9ead1829dc3d1a70869e266003e6611a12e0bccbc8a22ae4e0917d0bcff2ea2dc7828ac7156d6e73d2eb98183ccfb5b2f4dac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bofoo.exe

Filesize
172KB

MD5
5ff109e93f759121ad8545e7f52c6b80

SHA1
4ed84831b975e33bb8dac492e21563050ab93657

SHA256
130204cb3e09d7e65c644669ac83ed89c0d1e188dd54807e51acdefb96f1a1e5

SHA512
154a4bae387eff351a7a8d48d099fe075a702035112951c522f72b3a7795fa9d4fcbed52aa14ac17ea192b4ee6c199c6d1254e8345a79b6ae1c105568658cd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\fukih.exe

Filesize
324KB

MD5
bfb35bc44b29b862d0b98ea9c6a9d714

SHA1
db71b4caa531ebb1fece651a2bb1b4a10d0d7ce2

SHA256
de2f32e0a23c4463c1f519d5029d32ec9b4af1ff5516d8edc8d7de93a5a7e2ce

SHA512
6daa1bdb9f778cf66d594388e37713aa45c445e6a60a79c1c7cd7997a737ec86e3c40d0fbb48ace51d1151d2c9f98b17715a31a83454d1d5d8a3f2bcc77af4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9cf83ea5978540e0bf66e60148f9fa12

SHA1
8529c884585f8d7e5a3a8a65c9155596a337067f

SHA256
d4cb4a95ddebaa5ac151237c4fcaa74dc16c6726763e7a922ef2368487f72cb7

SHA512
9410553b155a7bc1cc69cbcca76b7e2522dc6f2397c93bf0b72a188602864436974777848814949c5bc34a788d104f3c1c262df44d18cd4fc025bf8ed3e90a0a

Download Submit
memory/1204-20-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/1204-37-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/1204-15-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1204-14-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/4792-45-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/4792-39-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/4792-38-0x0000000001020000-0x0000000001022000-memory.dmp

Filesize
8KB

Download
memory/4792-40-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/4792-44-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/4792-46-0x0000000001020000-0x0000000001022000-memory.dmp

Filesize
8KB

Download
memory/4792-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/4792-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/4792-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/5080-17-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/5080-1-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/5080-0-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads