urelas | 1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754

General

Target

1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe
Size

331KB
MD5

cf5c08b25c21683a077d908a07246850
SHA1

1c6120dd70615b1d09a7711e4c825f4a62cf37e8
SHA256

1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754
SHA512

39302ceef2b6904e5abd456722658ad6844de5f6e799d1e0936ceb9252878a3ac22ad3b77d1c2ce4ab572c2d3bc64c27af7cf08356aececded13956a6c33c7e3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYx:vHW138/iXWlK885rKlGSekcj66ciU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	sowyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe

Executes dropped EXE 2 IoCs

pid	Process
936	sowyk.exe
4864	sitaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sowyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sitaa.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe
4864	sitaa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 936	4076	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	84
PID 4076 wrote to memory of 936	4076	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	84
PID 4076 wrote to memory of 936	4076	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	84
PID 4076 wrote to memory of 3152	4076	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	85
PID 4076 wrote to memory of 3152	4076	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	85
PID 4076 wrote to memory of 3152	4076	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	85
PID 936 wrote to memory of 4864	936	sowyk.exe	96
PID 936 wrote to memory of 4864	936	sowyk.exe	96
PID 936 wrote to memory of 4864	936	sowyk.exe	96

C:\Users\Admin\AppData\Local\Temp\1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe
"C:\Users\Admin\AppData\Local\Temp\1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\sowyk.exe
  "C:\Users\Admin\AppData\Local\Temp\sowyk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\sitaa.exe
    "C:\Users\Admin\AppData\Local\Temp\sitaa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e118461ab2ea0954890f9b1c12e2699a

SHA1
cc9a9d8f8e4484e2d7e3ee2b9cb6ca5960e38ca6

SHA256
08958cc88cc58b42d9fb0e8b477b1c781b0e656da45ba973ee2547ec79a776e5

SHA512
f71fff2915bcedeaf5afa05eb8204e1386280e1b082a5016c947a91bda0d92bac56d4f312b383644c99722b7f2b2f07447bd04d9b0670591ef3608103e6955a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3fd1bf4736d2abeda4d6db3abaf253e2

SHA1
d164b472974895e8ff7f74b4cf8ab13131a7cd6b

SHA256
7eded07326366566c960319f92dd5153ecbc921c750bb45b4c945173bf3e6ff1

SHA512
43a9534d6d30014a1ad30c75dea3f9c3ee843ccd3d975fdab6af9da9d25865c3bb6415856ca1f7254d93d6cf4041945daf32495a0995a21d1d78739acae2070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sitaa.exe

Filesize
172KB

MD5
15bf147db4b859a9b63195b6d228c4ca

SHA1
781856cb9a659d8e0bd482b7575c9ca924dd4f83

SHA256
64d51b23d6e3e6a02f850a66f9fccc245a4054b9e665d2a7f190e157ed9f338a

SHA512
4588cf6559193760c0b70ef44c6a7113e3b6df02a3880094a44ceb03d72aa18b6e1f61ba41a846cbbd4afeb23f937041384d939656e2cf7bf2ed4529b28bee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowyk.exe

Filesize
331KB

MD5
243fe037b6a03b810c4e6b29a9230f88

SHA1
2476e0dc87d9063f2b55d3dae5788701ddbd85ef

SHA256
6255ab7e0e978a2a3b2be1d866789df1d510d12976741535fb77e74069575ce5

SHA512
764942c006e21f2a673a50855d09fe98774dde4be85bb09744afb68bd2d14ea7fc6358070cd576692bcc5c61872f9eae33d95917a46adf8e45437dfd94b3390f

Download Submit
memory/936-20-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/936-41-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/936-14-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/936-11-0x0000000000180000-0x0000000000201000-memory.dmp

Filesize
516KB

Download
memory/936-21-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/4076-0-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/4076-1-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4076-17-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/4864-38-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4864-39-0x00000000013C0000-0x00000000013C2000-memory.dmp

Filesize
8KB

Download
memory/4864-42-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4864-47-0x00000000013C0000-0x00000000013C2000-memory.dmp

Filesize
8KB

Download
memory/4864-46-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4864-48-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing