urelas | 97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192

General

Target

97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe
Size

324KB
MD5

60c59dea12551bf5b3f21ad87876b320
SHA1

e51d064f3e953c103c9755f6ebf54a52aa381610
SHA256

97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192
SHA512

2fb4cf8d60a98b0d4ca369c9f3fdf9b424729103116a2cb5ef4eaf2d1416d3a4a0268e48c533c7580da77e400acc0191617081119ddb2adad391ce981f9c9e63
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY8:vHW138/iXWlK885rKlGSekcj66cix

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ifwob.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe

Executes dropped EXE 2 IoCs

pid	Process
1904	ifwob.exe
3676	ujmec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifwob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujmec.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe
3676	ujmec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1904	2308	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe	89
PID 2308 wrote to memory of 1904	2308	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe	89
PID 2308 wrote to memory of 1904	2308	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe	89
PID 2308 wrote to memory of 3100	2308	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe	91
PID 2308 wrote to memory of 3100	2308	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe	91
PID 2308 wrote to memory of 3100	2308	97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe	91
PID 1904 wrote to memory of 3676	1904	ifwob.exe	102
PID 1904 wrote to memory of 3676	1904	ifwob.exe	102
PID 1904 wrote to memory of 3676	1904	ifwob.exe	102

C:\Users\Admin\AppData\Local\Temp\97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe
"C:\Users\Admin\AppData\Local\Temp\97fd7fd1a5f91dd2e568acf6c600f673af1441cb1f2c200997427d6439d03192N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\ifwob.exe
  "C:\Users\Admin\AppData\Local\Temp\ifwob.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\ujmec.exe
    "C:\Users\Admin\AppData\Local\Temp\ujmec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
a56cefb73c522be23ba7345f869080ed

SHA1
f423194874afc85c7a5b1577fe64188d0b249cb3

SHA256
fc9b34eee2d211f3797f52fa9d04f179b0acc60105480ef0af996217b352b5a9

SHA512
c09ce0e6051d914d7ca593ad160a74e00fb4ef31164fec9e1b35223171d71a4a5da7a66c1c6e83056ba8bf6435a8650134829a61847c91d14459df2b42767b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d265abe8c0fb4cf167878df22916ced9

SHA1
15b98f47bc0fd5e3bba943d2556d4584f533d7f9

SHA256
707202992fa3faa4ba91a5d1c1c8d361c08b521472a3a00fa375afcaea581d85

SHA512
64352713a4d8735f9ed4b956da0af6e0ba7015f03d3b20a85c9e811aaa010ced35399f7036e91c2af64b81934602b982879b7dc39c05ae23230bd6306cff803c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifwob.exe

Filesize
324KB

MD5
395893541082904a9e271a87847ba9b6

SHA1
ca9ba7a6d72c5e99eda10d15144d736ac5eb8717

SHA256
32a2e682a05d8fe3533eea2a286e1976613f7e8084d5b64f0a7388a7188a6e13

SHA512
18c52213a60f5f1deb062975f3522ce2caee41500be5c125cbd624e1726a0b06b2e18fe9396a716cce6b03c47eeea862295f866faf75ba377e43b4a79a32f1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujmec.exe

Filesize
172KB

MD5
f3d2fc9b70c4bcc7921b451a0acc8aad

SHA1
9b467cbbb16f6d6344bf65b5e4bd1e4597bc1f36

SHA256
ed82633be704037a5629023b8502670147958826b624a463b048757bee586660

SHA512
3ff61079f9556817a11480007edceea7d771f513b419de06e9e6f6364b5f8cc1edd585a5f3badbd92631b05acfa680eb5676a5c1e9909282f3afec9791b80c34

Download Submit
memory/1904-20-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/1904-13-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/1904-14-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1904-43-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2308-17-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/2308-0-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/2308-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3676-38-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download
memory/3676-40-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/3676-37-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/3676-46-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download
memory/3676-45-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/3676-47-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing