urelas | 8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833e

General

Target

8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
Size

323KB
MD5

54aac8667bedfee7994df8c337a7b170
SHA1

bc0dd454c453f0bb03ff14e1c05ace0270905cf6
SHA256

8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833e
SHA512

2e32e72186d173f2a5199869f71d1b0aa944a4801ca4bb46d4ed91c340339ff727b607d65c757d1e98e76c14269bbeaab68b0ce7c90084afb4012e85cfa6c114
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYF:vHW138/iXWlK885rKlGSekcj66cik

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	puxon.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	puxon.exe
4632	govug.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	govug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puxon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe
4632	govug.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 1960	460	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	92
PID 460 wrote to memory of 1960	460	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	92
PID 460 wrote to memory of 1960	460	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	92
PID 460 wrote to memory of 3600	460	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	93
PID 460 wrote to memory of 3600	460	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	93
PID 460 wrote to memory of 3600	460	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	93
PID 1960 wrote to memory of 4632	1960	puxon.exe	103
PID 1960 wrote to memory of 4632	1960	puxon.exe	103
PID 1960 wrote to memory of 4632	1960	puxon.exe	103

C:\Users\Admin\AppData\Local\Temp\8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
"C:\Users\Admin\AppData\Local\Temp\8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460
- C:\Users\Admin\AppData\Local\Temp\puxon.exe
  "C:\Users\Admin\AppData\Local\Temp\puxon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\govug.exe
    "C:\Users\Admin\AppData\Local\Temp\govug.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e5a710945ccb435648dade351fc5f34d

SHA1
eb6b10ebc6f02f31f59c8bc5cb9a56baf2f7270f

SHA256
5348a01acd30fd07eea86973b6e178bd0fc94c00fddbb6c5af894273a9f1e7fe

SHA512
268d496deac975daf09e8ef0626b3030639622f08299c6aa7f3119cc4d1b780e00df87b551638281a36e4782ec72c7ecb492fff6253e6cb78641c3086815e69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bdf1e4ea8ea3fbb8df8f465a4d5a8a71

SHA1
af82358602244420cc63e21edc08f7ada59f2251

SHA256
77b617bb30c4c71d20e73f36110ffcce5cc45a9adff1ac1e8a295cf20e442bbe

SHA512
7e7eca32b6584ea081817714dca783d1c755364c3df390be3cfd4416c6e25fa4e7b149744afe0a5d0948b971a039172c800d162c4bfa645eca0d9f7343069f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\govug.exe

Filesize
172KB

MD5
24075a42c5c26805d655883cfceb3a65

SHA1
276499b1d49d4289eab7e9cbe2414a4c2f9b1861

SHA256
adcddda9e98b443ab899694e623364fe7017a83c228f8bbc768bc57e5c7e2b0d

SHA512
a2cd7c189e9e28dd07986422c9dec826be55bebe0d6c2d5c06c01f8c0eb4765897b2886841f4052b2c1d981172d7fa311bbfe4d768d5b90912ea9220eef2f2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\puxon.exe

Filesize
324KB

MD5
24052cdbcedb4023f7392c5e1bba4bdd

SHA1
73864389676a6917701b97c5ee6ef6df57c72524

SHA256
e5ac70e0b7d0d293db5f45a312aba87746b67b7d35a6306390c6b704a768fc4d

SHA512
584f4609fa2742a095272fe551c9553b6390a2e155d2dadc0bf4cee96c99e88601d81e80dc8f6e86785198cd08df7cd05203c844f502239da134249f238f2595

Download Submit
memory/460-1-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/460-17-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/460-0-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/1960-20-0x00000000006A0000-0x0000000000721000-memory.dmp

Filesize
516KB

Download
memory/1960-11-0x00000000006A0000-0x0000000000721000-memory.dmp

Filesize
516KB

Download
memory/1960-21-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1960-14-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1960-44-0x00000000006A0000-0x0000000000721000-memory.dmp

Filesize
516KB

Download
memory/4632-39-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4632-38-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/4632-40-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/4632-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4632-47-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/4632-48-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing