urelas | 7347df3dabb4d3024d32142c854bc53bf3a5220f69fe34d8bfaceefdbd191ff6

General

Target

fcc5d6a338d280b4ab1a7551749eec10N.exe
Size

323KB
MD5

fcc5d6a338d280b4ab1a7551749eec10
SHA1

bd2468cbaab197ed984de895b26aab04643255a8
SHA256

7347df3dabb4d3024d32142c854bc53bf3a5220f69fe34d8bfaceefdbd191ff6
SHA512

46e4cf60023a6d6b018ea93c882c237a4c15422d4876a563fc478d1be4b920a05be33c317f24cf49daaccdcb03a88ecef5e41e8ad7720b2c2dbcac82a69e9ae0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fcc5d6a338d280b4ab1a7551749eec10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fowat.exe

Executes dropped EXE 2 IoCs

pid	Process
4772	fowat.exe
776	qukul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qukul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcc5d6a338d280b4ab1a7551749eec10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fowat.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe
776	qukul.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4772	1260	fcc5d6a338d280b4ab1a7551749eec10N.exe	89
PID 1260 wrote to memory of 4772	1260	fcc5d6a338d280b4ab1a7551749eec10N.exe	89
PID 1260 wrote to memory of 4772	1260	fcc5d6a338d280b4ab1a7551749eec10N.exe	89
PID 1260 wrote to memory of 3340	1260	fcc5d6a338d280b4ab1a7551749eec10N.exe	90
PID 1260 wrote to memory of 3340	1260	fcc5d6a338d280b4ab1a7551749eec10N.exe	90
PID 1260 wrote to memory of 3340	1260	fcc5d6a338d280b4ab1a7551749eec10N.exe	90
PID 4772 wrote to memory of 776	4772	fowat.exe	101
PID 4772 wrote to memory of 776	4772	fowat.exe	101
PID 4772 wrote to memory of 776	4772	fowat.exe	101

C:\Users\Admin\AppData\Local\Temp\fcc5d6a338d280b4ab1a7551749eec10N.exe
"C:\Users\Admin\AppData\Local\Temp\fcc5d6a338d280b4ab1a7551749eec10N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\fowat.exe
  "C:\Users\Admin\AppData\Local\Temp\fowat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\qukul.exe
    "C:\Users\Admin\AppData\Local\Temp\qukul.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
48f1db0a636d1f6751745b28bedef4ba

SHA1
335b2cbcd7f9d639d684f080c7ea663134db59ce

SHA256
42f48a66650865b22799602069df58daba6b96235fc3abd649bd0d1d8a061e50

SHA512
baaac9d420b0076c7694694f62ccd713df0187ea34ef1d479a254fcc11dc89fcf64d0a344b89549e5ec0a09266e8346c5f077a1d38e9cd4ebcf06a998e2d7840

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowat.exe

Filesize
323KB

MD5
dcc7da13ea13ff098a75e81dab6e7aae

SHA1
f21a2b5dbe8e625e2dceb7fb1678d7efa451fa01

SHA256
4b781acbd83d52bdbeae01819776a9105544e68440654d3030bca253ad228088

SHA512
686b17ee63e75bcbb5c5289edf43aeabad2c79ec313222b0a37f91278217dbde150849fa11b28a62383b2a7b167af3bde71d74f3f877b1299e892b23f47da171

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0dd59971254a85e9ec5075bd28ac76ab

SHA1
bcb99b365cb9a388a8efa56723d79227341f3d98

SHA256
75fdedb0e93915c11896cda416ac29e41e971eb220bef4bae5231cf0b17d719a

SHA512
aeed7957101d5225b6e2534208d67f368d7dadd73b41c6939df94282562283325f2d6fa90bed1d636bba12be62721ef3622cff2389dc4240aa14c831bd8fc8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qukul.exe

Filesize
172KB

MD5
01989c378238e75c45d0d31e42f58a65

SHA1
76c522834e82246b60e5d4f2a6b78bd8fa5ff4bd

SHA256
580f30c5a9596426a7d47a5c184bffa2761dc7168a534bd8db50becd9f360857

SHA512
38e7ff45cde231cb88af65755e62899d4d5602ab62b49f57eaad210da2e8a34260bc4b6d415bd0788a9864814499775527e7022632bf8e1f5d9e5b39f645784c

Download Submit
memory/776-48-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/776-46-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/776-41-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/776-47-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/776-38-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/776-42-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/1260-17-0x0000000000B40000-0x0000000000BC1000-memory.dmp

Filesize
516KB

Download
memory/1260-0-0x0000000000B40000-0x0000000000BC1000-memory.dmp

Filesize
516KB

Download
memory/1260-1-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4772-20-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4772-40-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/4772-21-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/4772-13-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/4772-14-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing