urelas | c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139

General

Target

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
Size

332KB
MD5

aece7a093e6b27c5f1474cd8422c9e66
SHA1

eeb0ba66278e98a2241a3cd19d317007575c6578
SHA256

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139
SHA512

3e94f42fb41f5cb3384f8e23b75d1539c9cd2bd5aa2aff2d9a5c1cd5496b8cd2493f22c76da08b516aed689b62d025028d29c4f98c2487f80017e3c4b9b612aa
SSDEEP

6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw/iq:ytCLD7+51gxeq3gOU9EEQrhMJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exevoimz.exexouwwo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	voimz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	xouwwo.exe

Executes dropped EXE 3 IoCs

Processes:

voimz.exexouwwo.exekofea.exe

pid process

2188 voimz.exe
2816 xouwwo.exe
3968 kofea.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2188	voimz.exe
2816	xouwwo.exe
3968	kofea.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exevoimz.execmd.exexouwwo.exekofea.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voimz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xouwwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kofea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kofea.exe

pid	process
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe
3968	kofea.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exevoimz.exexouwwo.exe

description	pid	process	target process
PID 3408 wrote to memory of 2188	3408	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	voimz.exe
PID 3408 wrote to memory of 2188	3408	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	voimz.exe
PID 3408 wrote to memory of 2188	3408	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	voimz.exe
PID 3408 wrote to memory of 3944	3408	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	cmd.exe
PID 3408 wrote to memory of 3944	3408	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	cmd.exe
PID 3408 wrote to memory of 3944	3408	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	cmd.exe
PID 2188 wrote to memory of 2816	2188	voimz.exe	xouwwo.exe
PID 2188 wrote to memory of 2816	2188	voimz.exe	xouwwo.exe
PID 2188 wrote to memory of 2816	2188	voimz.exe	xouwwo.exe
PID 2816 wrote to memory of 3968	2816	xouwwo.exe	kofea.exe
PID 2816 wrote to memory of 3968	2816	xouwwo.exe	kofea.exe
PID 2816 wrote to memory of 3968	2816	xouwwo.exe	kofea.exe
PID 2816 wrote to memory of 2576	2816	xouwwo.exe	cmd.exe
PID 2816 wrote to memory of 2576	2816	xouwwo.exe	cmd.exe
PID 2816 wrote to memory of 2576	2816	xouwwo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\voimz.exe
  "C:\Users\Admin\AppData\Local\Temp\voimz.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\xouwwo.exe
    "C:\Users\Admin\AppData\Local\Temp\xouwwo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\kofea.exe
      "C:\Users\Admin\AppData\Local\Temp\kofea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
e3c07938cd77830b2a184a14c8d88008

SHA1
66de4e4665ae56fa8015c73f5be3703c763dae71

SHA256
9e9d2ed9ea8bb286a1d10c62270c70181c5dcd452b432700dceed777c8b8ad02

SHA512
8a001ab8b6d75e58bd80c0d1e357794f4c77e4959a47ed69d22273d17e6f7b100677cfb76d327cf10314016fe3784c529afcb57e54e205d455354ea8098539a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
76eb2aa4d2a6385921f790518b720f10

SHA1
76d06ce6774c0833e475a1ce97ba80a0b9ab2f5e

SHA256
0a7ccbac853afb6e7ed0a44a39cfd103ef8af4cb3cd5547bd6b8dcbf2f8d3295

SHA512
1cb59436657bcc72b037028317a2f8c639a651827b685943d6fa597ebd43136bf34cd82b705c87da133de75029508793a186e1f436f147afddd2cda62897532e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cc1a5e8a57326e8d947988010b5d0550

SHA1
4961e852bfead364b73e2aea5918dded939dac08

SHA256
1a19cb361d35d15462a02be5abad7a1839bf996b6c8a49417613b98f6dd07360

SHA512
700a5ae7732b0485806423f6efa06a3e23d40140f61dcac149eb1114f603179f8952321dc8eedf21eb492e71a08396c6e693089a64dd4dbcd138b0d5a9c2c1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kofea.exe

Filesize
223KB

MD5
df042bb1cc8f91583f847470078dab69

SHA1
755c9c60b2a7de7e45174836ebdb064b2144ef0e

SHA256
60c9044ccb16b29def2ae2eabc94652bfa62eb3e57ffdf97555e5fd125765111

SHA512
176b33d4226ee43533f46c81c34e5c4f576476a5ad87dda2773ae229c4eaa2db228367f5ecdce304a83c6da5345c1f3c9edf10f301cda58b84bdeb0e675b547d

Download Submit
C:\Users\Admin\AppData\Local\Temp\voimz.exe

Filesize
332KB

MD5
70b82f3103f49860468c07fd372450e9

SHA1
b577e912c02344ac627359f959795ed0dd0dd75a

SHA256
04f96d1d3040f8e3cda310ade83384b518aa1fe23088ac90da68fca28ae14836

SHA512
003f7c0260935b0cd4f0cd7580830f6aef7517434817c878d985c78a4ad298c86cf105b77afec5eca8bf4a377a6a35d51a03e79c7f7be53c16db8cf31cec5178

Download Submit
C:\Users\Admin\AppData\Local\Temp\xouwwo.exe

Filesize
332KB

MD5
f52a82dd49d3752f5c06ff06331d0096

SHA1
20225fb43f81f023f89af67c93ea9c62f0546c08

SHA256
2aef1636838e5baaadda09dcfabe2da7a4d5a36f4d8421fc68ad9a34a946f3b1

SHA512
87238536d5090cc54a1101b7ff7b9f5224f782e3ffd78fb1785fffb524297ced89563723776ae72882bb2a5976092e16a52d6a15da9f571be11d09bed6d8ecc8

Download Submit
memory/2188-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2816-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2816-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2816-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3408-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3408-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3968-45-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3968-51-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3968-52-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3968-53-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3968-54-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3968-55-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads