urelas | cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605

General

Target

LisectAVT_2403002B_408.exe
Size

336KB
MD5

785a5215521aebe5a451ea71a9b08584
SHA1

f84373aea04589873857b5ea2023d9e95f9c32a0
SHA256

cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605
SHA512

752d5fa610fa49e6c13596a61295cb0beeefffc593ce5369719be9255f9d4a70896bfc10e6b244df526ab68b5d8ed4e1bc15dbcbb610ec0bf8f663a58ebf76a7
SSDEEP

6144:GLtOexihqv4m+lXD6betiTuBMTWjIDIiUBAkW9UOKMOtzWO8CatspddODi9w:GL1D+IatauBML42MykRa6p6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LisectAVT_2403002B_408.execonon.exeotqoge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	LisectAVT_2403002B_408.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	conon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	otqoge.exe

Executes dropped EXE 3 IoCs

Processes:

conon.exeotqoge.exenuajq.exe

pid process

3004 conon.exe
2544 otqoge.exe
4044 nuajq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3004	conon.exe
2544	otqoge.exe
4044	nuajq.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002B_408.execonon.execmd.exeotqoge.exenuajq.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002B_408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otqoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuajq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nuajq.exe

pid	process
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe
4044	nuajq.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

LisectAVT_2403002B_408.execonon.exeotqoge.exe

description	pid	process	target process
PID 4316 wrote to memory of 3004	4316	LisectAVT_2403002B_408.exe	conon.exe
PID 4316 wrote to memory of 3004	4316	LisectAVT_2403002B_408.exe	conon.exe
PID 4316 wrote to memory of 3004	4316	LisectAVT_2403002B_408.exe	conon.exe
PID 4316 wrote to memory of 2976	4316	LisectAVT_2403002B_408.exe	cmd.exe
PID 4316 wrote to memory of 2976	4316	LisectAVT_2403002B_408.exe	cmd.exe
PID 4316 wrote to memory of 2976	4316	LisectAVT_2403002B_408.exe	cmd.exe
PID 3004 wrote to memory of 2544	3004	conon.exe	otqoge.exe
PID 3004 wrote to memory of 2544	3004	conon.exe	otqoge.exe
PID 3004 wrote to memory of 2544	3004	conon.exe	otqoge.exe
PID 2544 wrote to memory of 4044	2544	otqoge.exe	nuajq.exe
PID 2544 wrote to memory of 4044	2544	otqoge.exe	nuajq.exe
PID 2544 wrote to memory of 4044	2544	otqoge.exe	nuajq.exe
PID 2544 wrote to memory of 3196	2544	otqoge.exe	cmd.exe
PID 2544 wrote to memory of 3196	2544	otqoge.exe	cmd.exe
PID 2544 wrote to memory of 3196	2544	otqoge.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_408.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_408.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\conon.exe
"C:\Users\Admin\AppData\Local\Temp\conon.exe" hi
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\otqoge.exe
"C:\Users\Admin\AppData\Local\Temp\otqoge.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\nuajq.exe
"C:\Users\Admin\AppData\Local\Temp\nuajq.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
- System Location Discovery: System Language Discovery
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
256B

MD5
c55b70a743d68ef68fda70aa6c9c7490

SHA1
c11d8796679cce1b7c14c60328e49b01ec4045bd

SHA256
8d459d4ce8d127bbf574edc664f52359e3a6f3949b666d1f3a05e6cd7664df3c

SHA512
a543217bc4e8ca936c58a486a9639f5c606d0e4bb9969953eb2422d07e1c8023e00e1a12d18bfdc30b5dfc6e0aeb3adb1a7b59604f52a667bf50619910c3a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c1204e36bb6415c974df147aff385f00

SHA1
59c6d8320075c386b0b6b468f3cb4ae9e68fc4ff

SHA256
4358ddf40c0e8b51bfed5eca349cfa1e41f1cbe5e357d3cfdafa678eb9959b35

SHA512
0fdf523f7694a1822377503542fe4fd6a4796d8cb8f87e408b78779d9db7e764afd28fb72e7da284f4a2fa28bf796668d1563e28a1828720b427035e1d9ad597

Download Submit
C:\Users\Admin\AppData\Local\Temp\conon.exe

Filesize
336KB

MD5
1552a9639526708191a99d7d7a7bd865

SHA1
379ce3dea78cad718b165d0d42cd1b2e03635245

SHA256
4e7e96a5c4fd6141252a869cb3e0260893558da4a70051ef4d602778b216caef

SHA512
51998ea014b8b9fd93882d1a9838beac3597d7dc641fa689a3f01eea4142cd307c75cd53dbbd3715d06c73f69cc7db7931558148e657975cb947cc8a987abccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4c9306ee8736b4e9a2fef152591fb12f

SHA1
cec402ffd926ab2c7d7edd38d68d56efb07c8291

SHA256
a22c4d64dc303d22929b7832d82655a2b4e6a81db672a08e7d49f5405630946c

SHA512
401e66caa38ca4bef5f0d52e37ec852cd7a2867bd73dd6ed82b9c4ab6fc53c4dc7ab9701aea747d7ef4daf09432c48e89c9ade0f17e4b59caf414c06618a6517

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuajq.exe

Filesize
223KB

MD5
a2216fe0eca1b9e005a03fbb8e5f61c0

SHA1
87a737a373646a9aef96cc1d318bc732923a263c

SHA256
5e3a0611dc6938d3437cb7396a0569488a8a99673009500cc59ec5838f8a683b

SHA512
891801093ababc393d524b9356f6b57ef63fa277521c27ec3e744262a929e2f672c129f3648f94869f474e5a8e75fcf71088e7aae27128055694668363ac51aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\otqoge.exe

Filesize
337KB

MD5
de4b02bbb64743e6fa7c49d5786cec2a

SHA1
b9238c7148c6ebd885c2ad602c2c7c30b9999821

SHA256
691652cf139ee7761a1a3e484bafa44ed5e212a82e518791f50a251b01041f1b

SHA512
aa32df50dbeaf3bf54d134f8396adae7b15cb51cd51f0e51cf770dd9f028e7aad09caa0067cd73c34d65d9b46427dd6ba58c878356716db353a81203bcc8eeff

Download Submit
memory/2544-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2544-31-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2544-32-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2544-55-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3004-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3004-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3004-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4044-59-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/4044-61-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/4044-52-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/4044-60-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/4044-57-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/4044-58-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/4316-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4316-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4316-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads