urelas | ed6ea4d610a46302552d12c74f259d7d5eddfff04f6263241ffdac17d9cf6e91

General

Target

434927414b3d9bb823b1fbd9e6004850N.exe
Size

331KB
MD5

434927414b3d9bb823b1fbd9e6004850
SHA1

65d17adea257f844a0bd72cf36ac5db66c236163
SHA256

ed6ea4d610a46302552d12c74f259d7d5eddfff04f6263241ffdac17d9cf6e91
SHA512

eb9a6ae7859380769f5dd30a29b78497b1c747486fd0d3fece8a039907754b0ef1adfb8f81f5ec8565d73429c435fa5726ab4c7d23da321875a5bcb5d20045f6
SSDEEP

6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw/iT:ytCLD7+51gxeq3gOU9EEQrhMM

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

434927414b3d9bb823b1fbd9e6004850N.exelykoh.exehoheak.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	434927414b3d9bb823b1fbd9e6004850N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	lykoh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	hoheak.exe

Executes dropped EXE 3 IoCs

Processes:

lykoh.exehoheak.exeisloc.exe

pid process

3560 lykoh.exe
112 hoheak.exe
2400 isloc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3560	lykoh.exe
112	hoheak.exe
2400	isloc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exehoheak.exeisloc.execmd.exe434927414b3d9bb823b1fbd9e6004850N.exelykoh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hoheak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	434927414b3d9bb823b1fbd9e6004850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lykoh.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

isloc.exe

pid	process
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe
2400	isloc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

434927414b3d9bb823b1fbd9e6004850N.exelykoh.exehoheak.exe

description	pid	process	target process
PID 1500 wrote to memory of 3560	1500	434927414b3d9bb823b1fbd9e6004850N.exe	lykoh.exe
PID 1500 wrote to memory of 3560	1500	434927414b3d9bb823b1fbd9e6004850N.exe	lykoh.exe
PID 1500 wrote to memory of 3560	1500	434927414b3d9bb823b1fbd9e6004850N.exe	lykoh.exe
PID 1500 wrote to memory of 4684	1500	434927414b3d9bb823b1fbd9e6004850N.exe	cmd.exe
PID 1500 wrote to memory of 4684	1500	434927414b3d9bb823b1fbd9e6004850N.exe	cmd.exe
PID 1500 wrote to memory of 4684	1500	434927414b3d9bb823b1fbd9e6004850N.exe	cmd.exe
PID 3560 wrote to memory of 112	3560	lykoh.exe	hoheak.exe
PID 3560 wrote to memory of 112	3560	lykoh.exe	hoheak.exe
PID 3560 wrote to memory of 112	3560	lykoh.exe	hoheak.exe
PID 112 wrote to memory of 2400	112	hoheak.exe	isloc.exe
PID 112 wrote to memory of 2400	112	hoheak.exe	isloc.exe
PID 112 wrote to memory of 2400	112	hoheak.exe	isloc.exe
PID 112 wrote to memory of 2528	112	hoheak.exe	cmd.exe
PID 112 wrote to memory of 2528	112	hoheak.exe	cmd.exe
PID 112 wrote to memory of 2528	112	hoheak.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe
"C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\lykoh.exe
  "C:\Users\Admin\AppData\Local\Temp\lykoh.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\hoheak.exe
    "C:\Users\Admin\AppData\Local\Temp\hoheak.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\isloc.exe
      "C:\Users\Admin\AppData\Local\Temp\isloc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
278B

MD5
6e7fbaae10a0e33d5d4de64ebb9ae2d1

SHA1
f7c0055bf69a6ceeecac7d6923aaf4f6e2127491

SHA256
2e68488559194c6252e03d5d6127ec84b4f8d2570182600d7c5f424c8606d688

SHA512
a4ffbb622de18ce97775bd11c0dbb2c00579d773e139276f88bea4032ba8394dc387d0d4cd2593bc6e938bd83050cd6bd37cd2ae61a22170ea7f5425588db796

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
189bb0dc35d8fd7d11c1ddba520d5d6b

SHA1
857f5dcc30fc90ae9c7f6ce6a6d11c76c149298a

SHA256
144b78d078c7dfcec76f260076a7119763b2fb04c3d759567567fca75e541926

SHA512
bbe52f4fdb29b569c639fee22e352ef8163d87ca2638c8e661f6037f19f438d174972b9f93c6735c5e285bc8eca26a2cffd82d52abc0d828afbbe6ccf739ae82

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
362605c62950071ad394637fc79c3b8d

SHA1
e704c9bc29aec617515e395e2330bc34206e655e

SHA256
6439f5fb04dcb9bc227e205d48e3f810ca8e8e8580c4070c21f96f5e7c04d0a1

SHA512
312c97c4c67b1479c02f4e4f190bab3b2a8bb027462932be818a062e5671a91387d52c7cc95e1e1e17418651288ad642a420761ee8054fccccde472836dd3471

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoheak.exe

Filesize
332KB

MD5
18d0c449a01fbcaad6d74243d2f9c634

SHA1
ec8ece814903de5ce1190d4beba66989757afc86

SHA256
ffe6018e61b61ff4b047e0186c7b40ee0e9a87c2039048ff6a67f46797bab423

SHA512
191d5b86916d8244e3c061fbbe2c44f3b0b038c4e11f41e671998b2f5c4f4b86ac4e0346faadf0e3a6837690d269d49c2e7d7483e6ad806719340f57a4739a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\isloc.exe

Filesize
223KB

MD5
a7b65f771726af9f21b7f3fe5e058ba1

SHA1
c71f248a8eea5a6b70ea65d517f2792a9bdddce8

SHA256
43a901f766ae996fa2e57f8bbbcd838f9563caa43683357c520504799b28cbba

SHA512
317e3bae191a023413c0cddebb462f8b1b92c26ba1591e1927425ddc782de211ee54949079b1c280105ef60f50c072e11c62684720f74775659cf505d0b01325

Download Submit
C:\Users\Admin\AppData\Local\Temp\lykoh.exe

Filesize
332KB

MD5
7244ee7629369fb165cafbf4ef4edbe5

SHA1
d2722db572ae31a6581d3f603595d96f8a977d52

SHA256
c74952217a81e52f33f31d6ed800cb55463ff94fb966444e980585745900f361

SHA512
a664e75291ead5996c904ab38c5f3f80bfffcbbd3a97657894a230f7eb99bc4c722332973f8f8471a135d9430c8a0a7b801ca40d48eb282df71777d305541541

Download Submit
memory/112-51-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/112-27-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/112-28-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1500-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1500-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2400-47-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2400-53-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2400-54-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/3560-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads