urelas | def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868

General

Target

def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
Size

333KB
MD5

c58a33997c726970f95036ac10700ea0
SHA1

6f1de5eb343eac83e5655f700cbd26df8ce0b5e8
SHA256

def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868
SHA512

31b20d9386fa879ec1a8f325359a4da9dfd16d1cde3ed40eac08b622a0b281ecf2fea45050fe0fa588a89d815f199f939896e7f444c1098e3350dbd4c73b8449
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYn:vHW138/iXWlK885rKlGSekcj66cie

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dusep.exe

Executes dropped EXE 2 IoCs

pid	Process
2384	dusep.exe
5084	depod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	depod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe
5084	depod.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2384	2176	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe	86
PID 2176 wrote to memory of 2384	2176	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe	86
PID 2176 wrote to memory of 2384	2176	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe	86
PID 2176 wrote to memory of 3928	2176	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe	87
PID 2176 wrote to memory of 3928	2176	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe	87
PID 2176 wrote to memory of 3928	2176	def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe	87
PID 2384 wrote to memory of 5084	2384	dusep.exe	98
PID 2384 wrote to memory of 5084	2384	dusep.exe	98
PID 2384 wrote to memory of 5084	2384	dusep.exe	98

C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
"C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\dusep.exe
  "C:\Users\Admin\AppData\Local\Temp\dusep.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\depod.exe
    "C:\Users\Admin\AppData\Local\Temp\depod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
af07bbbf99824bb85d4b9b850a1aa6a4

SHA1
b8ec12968efb0a2df10777d10ed34e1d28789bbe

SHA256
e56caf3c576e3fa94afb3be10f6fc9ee44bc135e1ca1889bb1605da68e5aaf56

SHA512
0d593fc865d89460b465d24d02ecf54772bb1503bc27b53f76cc40d805c10c44f61ff8e7d0000ec4ffdd52be3fd8f3c52d4177bb08f10792751269d6601153b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\depod.exe

Filesize
172KB

MD5
f9d4892d30d0d9467234db066b482969

SHA1
4b6c9d6ab4768ec184c5c7bcf98bf4d69fcc6193

SHA256
233492ff283cb4120384a695540b60b80b340a963d2cb14de804ef2dd93b3bd6

SHA512
020458e46ecbcc313e3861553a0b031e6d4308e2aadc113e46935372566c8901b1dea6a5632e8a4336f06d42617f700eeb268be4781a461671fccab6aeeea78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dusep.exe

Filesize
333KB

MD5
5dcd9c59ad22714476686080c1607501

SHA1
bb12f95b994f556e9a71442b771d54de7a5cb710

SHA256
bfa97982a22da4fc45729fa83af5f60a2b1f046ae1aaba19d9085e6c8c99162e

SHA512
cddb02b2893a60c1114c00a044859742a05708d32accbee47954f5475d52f20b17c5167e9397fff74d31727ad70cd61d0dd5c7a3f65056ad70a60923bbd150a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7a76b9e02f5774698efefad8bd20d409

SHA1
e4be6abddf9e497ce26848d1929de108b99d8ea9

SHA256
7395ee3e79227f243c7c095698df753ed8eb6bc61ce16406e32888f8e1881ad1

SHA512
dcbe2ec545b94034727a6204f4a705de0c414404ce6a2acdaab50ff48cd670b8dfaf6a0cc08bfdb5856c03ae5f6aec716d4a97c4f61852ed11d9f410ee2ba007

Download Submit
memory/2176-1-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2176-0-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2176-17-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2384-20-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2384-11-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2384-21-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2384-13-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2384-41-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/5084-38-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/5084-39-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/5084-42-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/5084-47-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/5084-46-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/5084-48-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing