urelas | 76f3b4fd872476566139d536c7a0ef39ff4c3f71981bd8637119bc375f45b257

General

Target

cb5265d8300261e98182aa6753ecbe30N.exe
Size

689KB
MD5

cb5265d8300261e98182aa6753ecbe30
SHA1

117e1d7c5860fe2f5efdd3a3af585a754c026729
SHA256

76f3b4fd872476566139d536c7a0ef39ff4c3f71981bd8637119bc375f45b257
SHA512

94efd13872d52583da8b43f7a7f9311d4786f758125136f9716b05a3aa7bf8f1bcffcc5c18bc92c82608e3de1a1b5b4c13ff495db84b69c94500c46c3eaf8605
SSDEEP

12288:EUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nT:YVh6gl6Iy8R9+ZdnnP94jpgl9BnT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cb5265d8300261e98182aa6753ecbe30N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	nudew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	osvuhu.exe

Executes dropped EXE 3 IoCs

pid	Process
464	nudew.exe
3680	osvuhu.exe
4620	desea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb5265d8300261e98182aa6753ecbe30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nudew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osvuhu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe
4620	desea.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 464	3604	cb5265d8300261e98182aa6753ecbe30N.exe	85
PID 3604 wrote to memory of 464	3604	cb5265d8300261e98182aa6753ecbe30N.exe	85
PID 3604 wrote to memory of 464	3604	cb5265d8300261e98182aa6753ecbe30N.exe	85
PID 3604 wrote to memory of 1240	3604	cb5265d8300261e98182aa6753ecbe30N.exe	86
PID 3604 wrote to memory of 1240	3604	cb5265d8300261e98182aa6753ecbe30N.exe	86
PID 3604 wrote to memory of 1240	3604	cb5265d8300261e98182aa6753ecbe30N.exe	86
PID 464 wrote to memory of 3680	464	nudew.exe	88
PID 464 wrote to memory of 3680	464	nudew.exe	88
PID 464 wrote to memory of 3680	464	nudew.exe	88
PID 3680 wrote to memory of 4620	3680	osvuhu.exe	103
PID 3680 wrote to memory of 4620	3680	osvuhu.exe	103
PID 3680 wrote to memory of 4620	3680	osvuhu.exe	103
PID 3680 wrote to memory of 4264	3680	osvuhu.exe	104
PID 3680 wrote to memory of 4264	3680	osvuhu.exe	104
PID 3680 wrote to memory of 4264	3680	osvuhu.exe	104

C:\Users\Admin\AppData\Local\Temp\cb5265d8300261e98182aa6753ecbe30N.exe
"C:\Users\Admin\AppData\Local\Temp\cb5265d8300261e98182aa6753ecbe30N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\nudew.exe
  "C:\Users\Admin\AppData\Local\Temp\nudew.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\osvuhu.exe
    "C:\Users\Admin\AppData\Local\Temp\osvuhu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\desea.exe
      "C:\Users\Admin\AppData\Local\Temp\desea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
278B

MD5
d29ff250c64301f5011fecd35a9784d4

SHA1
f207ccfb02628b0db0f09a1f1d3e4d217757f0ae

SHA256
96cc7445cd525d9f6f9bf47eb59949045db3f86eb97d05ec78cec80250220e48

SHA512
d8bdc31654f4f24138cd02b98da9e696ce3f5b85d51323d899b89214ae1fb2eb311b9b40af2fc01e73dabc51627fd76248600c87a1a423672442dd19cf24dde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9b7f175d44df0650950fe68089f350fb

SHA1
bd01b069daf4f68ffd1dcc6fbc3149609682f227

SHA256
e6ce26823c80f54f8b4a42c7340c62b023a829e0f55c018b3d617abfd2a877db

SHA512
5e7f784d907c4d76bed2a36b37f85db87ae68e7908bd42174672219d59687109aee34efffc1a0d310fe9381870b84515be2e5a593435b9d4b240b52153fef2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\desea.exe

Filesize
469KB

MD5
3e723fe9d0dc1599cacf353b17b3aef5

SHA1
1ff687a77faca44dbfc2769ed3cb1b58115e47a2

SHA256
ac816f4fcb5b4150a76241b84a881e97fc68b839c79e31e1340ba3aa19798d02

SHA512
6da90973d24cc91df958876ddef618f65c96d4e60c8802a0bcba825e100bac54e268cb5cc4b8b2e7df4aa4c309c030374050a2fd78a9ad53662458421650f96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a82cd105e4cd7e7a12d788a74c9054d1

SHA1
a8329e3d8b1a9662d044224cfd07a52c8a904b16

SHA256
6306156a1997ee44282b333c6edac39a4ab8239dc4849b3f8a855a68e7d34a8f

SHA512
66cb1cedacdf5c1934c65731ebe0d73c7a944f31dbb20900d8dc006624607f2994c63ff09e8b62e225fb957710266d2fd66119f71388efd3af0e450609ee86b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nudew.exe

Filesize
689KB

MD5
415278047e73fbd9b6defcc457dd9c92

SHA1
bb39384a3473d101e64bba7941d1159e87b7c6c0

SHA256
d85490abe55971c6e32ee26ae6f6ed5314f29ec6041b7bfce71e59396fb0c3ee

SHA512
1af6eb5fa8649fb32ce3b492f080bbeca1aab7af6945804f61aff64a631eba72d8a41da25c3ed4c17b9867790f51c2a442d3d7e3f652fce56056821f59c63deb

Download Submit
memory/464-27-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3604-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3604-16-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3604-1-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3680-28-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3680-42-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4620-40-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4620-45-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing