urelas | 4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9

General

Target

4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
Size

330KB
MD5

463f5610b951b6cca819ec598c1e5e90
SHA1

be4d199ce6592614e3964f6ba37da23a81281621
SHA256

4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9
SHA512

c341b274a03dfe726eead3aef688a47742c93985e0768562fac61e3d980ea8b951c5c694a348a67c7daba2a7400cbc68e33d30f7c3594299b1287f70bf568367
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	dodee.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	dodee.exe
1312	lusaj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lusaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dodee.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe
1312	lusaj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3068	1284	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	82
PID 1284 wrote to memory of 3068	1284	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	82
PID 1284 wrote to memory of 3068	1284	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	82
PID 1284 wrote to memory of 4356	1284	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	83
PID 1284 wrote to memory of 4356	1284	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	83
PID 1284 wrote to memory of 4356	1284	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	83
PID 3068 wrote to memory of 1312	3068	dodee.exe	94
PID 3068 wrote to memory of 1312	3068	dodee.exe	94
PID 3068 wrote to memory of 1312	3068	dodee.exe	94

C:\Users\Admin\AppData\Local\Temp\4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
"C:\Users\Admin\AppData\Local\Temp\4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\dodee.exe
  "C:\Users\Admin\AppData\Local\Temp\dodee.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\lusaj.exe
    "C:\Users\Admin\AppData\Local\Temp\lusaj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2d458e2e5fb0ca55c3e6c41da5e1a8f8

SHA1
2395fbb7aa04f79d7f7f69c32a637decce91cbc4

SHA256
981328514ce143f6f56d351b41051cd0b14cf57c8852be0ea0fd2f605b3d874e

SHA512
14563dc629e39aaa19816958301c1c933afe99efefab82ac71b9d7dd4ab699e638d7646e6c9b81df1ead64fc9a89633c4d94e5be07c25884f3bf092594052086

Download Submit
C:\Users\Admin\AppData\Local\Temp\dodee.exe

Filesize
331KB

MD5
1cdc7e86d93df4ec263d6698e6193490

SHA1
ee5886066c8edb95148c85a4f29b2c1e31cf7698

SHA256
68ea92f38a0df2608e9bde35adf87faf53d0b8e7e979d94954a54f79e8fa233b

SHA512
2399699bfe6754d2083208ccca8af1acf2ef5838a45ff516cf44b8ea14352760d748a58396dab5ca9d50cffb2dd3dd6cca6327f62c6bd41a47e00586dcf2480c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
578830662ee88d8850428d4ba5de1d60

SHA1
0b3f6148051fd6879c15ce88799ee451af2207fa

SHA256
a60b7767b21c7ec636ad4edd89c4bc862cb529737eb0de0f19fb9c988f1ba4e8

SHA512
e0eaae876f7b4704a8402f7ec350ebb122057ea6abe2da0f828765a1321d575f76706ea9ff6d948755eb76d0318d980542b39cadc563da07196f6e463c4878d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lusaj.exe

Filesize
172KB

MD5
a69c9b75e7def5f61de1bcd31146b20d

SHA1
32d5590fcfee8c66775b8624eeba781f8cdf3519

SHA256
946e5dd92bf803b4087de21032c6e45ba82f247b3a26b36bcc17e045225c4771

SHA512
34e891606208489ae66f6486bffce509133dd10e48f4deca621aa5323d8d4288c5ef4e92ac30f848b74dbf34a9059898edbbdce3c85278285cd7571e86ddbf69

Download Submit
memory/1284-1-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1284-0-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/1284-17-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/1312-48-0x00000000009E0000-0x0000000000A79000-memory.dmp

Filesize
612KB

Download
memory/1312-47-0x00000000009E0000-0x0000000000A79000-memory.dmp

Filesize
612KB

Download
memory/1312-46-0x0000000000B60000-0x0000000000B62000-memory.dmp

Filesize
8KB

Download
memory/1312-40-0x0000000000B60000-0x0000000000B62000-memory.dmp

Filesize
8KB

Download
memory/1312-42-0x00000000009E0000-0x0000000000A79000-memory.dmp

Filesize
612KB

Download
memory/1312-41-0x00000000009E0000-0x0000000000A79000-memory.dmp

Filesize
612KB

Download
memory/3068-12-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/3068-39-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/3068-21-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/3068-20-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/3068-13-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing