urelas | e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bb

General

Target

e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
Size

555KB
MD5

77cb473575e36fde924b9444f32c5270
SHA1

6e67a34d086a38ed35c6e8ce49d6c930f14df324
SHA256

e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bb
SHA512

ce99cc121968eb509739b8d3466915a6068b991750dc67a795f9986a79a13e655a6710bfca609eee9f8a1102480285cc5155c39660d854722f1fb31803586d0d
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlm:+rt4/NArwjs5olm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wodoc.exe

Executes dropped EXE 2 IoCs

pid	Process
4736	wodoc.exe
5052	kawio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3648	5052	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wodoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kawio.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 4736	1272	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	82
PID 1272 wrote to memory of 4736	1272	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	82
PID 1272 wrote to memory of 4736	1272	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	82
PID 1272 wrote to memory of 828	1272	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	83
PID 1272 wrote to memory of 828	1272	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	83
PID 1272 wrote to memory of 828	1272	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	83
PID 4736 wrote to memory of 5052	4736	wodoc.exe	94
PID 4736 wrote to memory of 5052	4736	wodoc.exe	94
PID 4736 wrote to memory of 5052	4736	wodoc.exe	94

C:\Users\Admin\AppData\Local\Temp\e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
"C:\Users\Admin\AppData\Local\Temp\e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\wodoc.exe
  "C:\Users\Admin\AppData\Local\Temp\wodoc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\kawio.exe
    "C:\Users\Admin\AppData\Local\Temp\kawio.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 216
      4⤵
      Program crash
      PID:3648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5052 -ip 5052
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
85546bcf395aa6965faaf63bb3e704c2

SHA1
aa7fd0fc10f45ecf0d00625b0879131ea0c8ee4e

SHA256
77197d3a46bbfae4eac82ac7c15f3c74e1b44b8dbe7566ebad55c463478212ee

SHA512
66d94c367709a5f1b7c967028f4ff8451bc0e3b87d981c1ae3a38f8e3832ea9639bec5f5116bcd15872ed0fd0aacf7b1ffbd6c2f5f4511ea68815850d62bad7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9dd08fed738aa290fd3971ae9ab3feb3

SHA1
5d97e2f5fe43f237d37e751204146e6c0ec5c435

SHA256
e55c457ed08188d6f1f9f2710c05427d6a0756f05334689b2a7544fc11b38f30

SHA512
d748d3b969da7d17e7806c9158e15e413752b297e686c6ecb8ff509fe445ff56c4569ac453379bcd4f80ea67567d731295262b9382b7edf39d80778af3d43f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\kawio.exe

Filesize
231KB

MD5
f91569b938d0d4cad5044d69a423e1d9

SHA1
886a9848c1a09664ea64616b4e36587ffd4c94be

SHA256
f99aef306d471d5c0584e8cb60bebe7d35669ff6b4a6f63e570476996f131465

SHA512
76d2b99d2bcc96091c8e6af2275724404ff7566402ea6934438dbd0134e120512ed1f133a3d21f87b7ed2bfd574f00207bb03db313f3fb6c0762a738d788fa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wodoc.exe

Filesize
555KB

MD5
3268811c68d4dc81e76424b9fb07ef0b

SHA1
19145f4cf7b9655966232b69e69016966cd58009

SHA256
0fcd582fba56c4dd65ba62869d6bb84da5636a65f58bc4536da73c47f505d536

SHA512
e83dac0c53b6650a02aa4de79e37e71a5f16fbca96ebf40bdc16f62eabb1066fb9d40328c162ca29d3b2ab4cd9efd0675202e1917d62d195d905ba580dece096

Download Submit
memory/1272-0-0x0000000000590000-0x000000000061F000-memory.dmp

Filesize
572KB

Download
memory/1272-14-0x0000000000590000-0x000000000061F000-memory.dmp

Filesize
572KB

Download
memory/4736-10-0x00000000003B0000-0x000000000043F000-memory.dmp

Filesize
572KB

Download
memory/4736-17-0x00000000003B0000-0x000000000043F000-memory.dmp

Filesize
572KB

Download
memory/4736-27-0x00000000003B0000-0x000000000043F000-memory.dmp

Filesize
572KB

Download
memory/5052-26-0x00000000004B0000-0x0000000000563000-memory.dmp

Filesize
716KB

Download
memory/5052-28-0x00000000004B0000-0x0000000000563000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing