urelas | 0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846

General

Target

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
Size

432KB
MD5

be542e225b5a041f7d228b4b6c4936e8
SHA1

8bf87c7d0767461084254004be228d4297bbeafb
SHA256

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846
SHA512

f9b612dc7fd67aeaedea9c500c2e05a5269642a8139c4aed5cc49db31f8cb3ee09ce99df2ff43a260747a1d031d45899a10be77db9bcd7f6c9ed5e5a903e82fa
SSDEEP

6144:L8efQ6QPJGcLbjg0CutsGH+revgLIAP1fXo1EZH:C6QPJGcE0SGereYdPc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exerysib.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	rysib.exe

Executes dropped EXE 2 IoCs

Processes:

rysib.exeimkaq.exe

pid process

796 rysib.exe
2384 imkaq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
796	rysib.exe
2384	imkaq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exerysib.execmd.exeimkaq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rysib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imkaq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

imkaq.exe

pid	process
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe
2384	imkaq.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exerysib.exe

description	pid	process	target process
PID 2856 wrote to memory of 796	2856	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	rysib.exe
PID 2856 wrote to memory of 796	2856	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	rysib.exe
PID 2856 wrote to memory of 796	2856	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	rysib.exe
PID 2856 wrote to memory of 4604	2856	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 2856 wrote to memory of 4604	2856	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 2856 wrote to memory of 4604	2856	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 796 wrote to memory of 2384	796	rysib.exe	imkaq.exe
PID 796 wrote to memory of 2384	796	rysib.exe	imkaq.exe
PID 796 wrote to memory of 2384	796	rysib.exe	imkaq.exe

C:\Users\Admin\AppData\Local\Temp\0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
"C:\Users\Admin\AppData\Local\Temp\0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\rysib.exe
"C:\Users\Admin\AppData\Local\Temp\rysib.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\imkaq.exe
"C:\Users\Admin\AppData\Local\Temp\imkaq.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fab84f4b298efa708e4661723fd8726f

SHA1
ad3b0a6a3230eed02a342c8675efb82617336d60

SHA256
d9a9705dd0eb69fedc7090940f6b689ea8a0817677f67630954ce3e29ac4d2e6

SHA512
6b54036c346688560e281087ee1707d33e8ec0818b52f7940ca309990dac845b0e84cbd2660a48a25fc98402ef956f6d2ce765503d9e5b474ff52a60abf01513

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
63fb88dec0824f92d9523ad767edc626

SHA1
69070fdbc8b5349f52ec76ca4e9a2152f96b526a

SHA256
f6506ec0cbd3295599582ff5dde4a60853a43812ca6dd3aeb3cc6d6b9638c460

SHA512
4c7b6b21dd75589972d2e523c1abbfa3871d81a75cca27fe787d32b7559e2d00c2c740c3904f25b56857a4cc9ee856e46aecb0669073160c1d3c3b582c1826e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\imkaq.exe

Filesize
291KB

MD5
254b596c1a5ae74556975394df0f84a9

SHA1
c2e7769cf4c445cc7a16f70934d0f4161e1d37f5

SHA256
bf2d84872e9e66411c09d73f2b4015371530c39515a9d88b15371986955902f5

SHA512
f23b82420a88e052be1c48168fe2690894bb332dbff8e0777cfaec719d47ec704c0026efc93aabd3ef341f6defa7607aa941740824d9346f9d8e5046ed5c0236

Download Submit
C:\Users\Admin\AppData\Local\Temp\rysib.exe

Filesize
433KB

MD5
91f45471d21779032f85343fe191823b

SHA1
55f6fd3cbb7e2e6e8bfce019cce6011aef6e6eb1

SHA256
fc265624b3073d785c9df606bf35e36dc376f4ad7e3baa8d374669b8bf42b83b

SHA512
7370510ec67bbd2f5d03f55ff5606b0e84d96856e1a57c718cb89b0cd5260dc9951032ce5fcbc5a5903a782f73397c7d01179957fd7b7a8bd1d47fcba39d9333

Download Submit
memory/796-11-0x0000000000D40000-0x0000000000DAE000-memory.dmp

Filesize
440KB

Download
memory/796-25-0x0000000000D40000-0x0000000000DAE000-memory.dmp

Filesize
440KB

Download
memory/2856-0-0x00000000002F0000-0x000000000035E000-memory.dmp

Filesize
440KB

Download
memory/2856-14-0x00000000002F0000-0x000000000035E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads