urelas | 8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472

General

Target

8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
Size

332KB
MD5

80c40844ce7c96763356bc8f55442a60
SHA1

f2b0bc7ff2c7803dee7c975f8ddc67f80ed59eba
SHA256

8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472
SHA512

490bb52421406db27c3b12add8876edefbece2aacb87fac488fcb9535aba787025f18776be54d3b26d36e79ef40c8bfa25b5e3b351241cac850c550d9eb600b2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYh:vHW138/iXWlK885rKlGSekcj66cik

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	iqjuz.exe

Executes dropped EXE 2 IoCs

pid	Process
4028	iqjuz.exe
748	loagz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loagz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqjuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe
748	loagz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4028	3184	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	88
PID 3184 wrote to memory of 4028	3184	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	88
PID 3184 wrote to memory of 4028	3184	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	88
PID 3184 wrote to memory of 3144	3184	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	89
PID 3184 wrote to memory of 3144	3184	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	89
PID 3184 wrote to memory of 3144	3184	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	89
PID 4028 wrote to memory of 748	4028	iqjuz.exe	102
PID 4028 wrote to memory of 748	4028	iqjuz.exe	102
PID 4028 wrote to memory of 748	4028	iqjuz.exe	102

C:\Users\Admin\AppData\Local\Temp\8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
"C:\Users\Admin\AppData\Local\Temp\8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\iqjuz.exe
  "C:\Users\Admin\AppData\Local\Temp\iqjuz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\loagz.exe
    "C:\Users\Admin\AppData\Local\Temp\loagz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
71eb4b9da5a2bedfb95309abd47afa79

SHA1
26d120c4c4a958c747ce7da21d20e7d04f1d0427

SHA256
235fd21006190231308a396c57ddf9c2e7484667665d628a83ebe1a57d0446e3

SHA512
1988d422c392d43b674ca64c76c1e541d16bf6634c036cc7709884169f07c4969ad043e4028a83bb412c983e423570108ca6307c5311d55f57dc23827c12cc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2c9c298825cb6bd0c0d47b94e28d4723

SHA1
348a041dade63a889626d1a4eba3c50332f778c1

SHA256
ed19c0c7388f441343a14b3760fb70f608b05090363df5187fd27ac9c9bf3018

SHA512
a415c04942eaf65b8a96284fc4ae5dd68328d5d86c7dd50520a031319337aa314de0c5e00512f4bff370a50e8844348a8de957718dd88a911871aa1a546bd8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqjuz.exe

Filesize
332KB

MD5
6f1476021526f934cdff944265be1abb

SHA1
ec50ca380f4d51ab7013901923de60cc8bed6e44

SHA256
c1f26650a03ab1809e1c68ff461d5d004332beb89f7687ff701a7222ba4d3f03

SHA512
94b43fa7b5ac38e2fadee38a51be3d37f13f034b4bc0784fea71c2f4d37e3653723151bed2d7f37842ca92836f12b996b818afbcf592410dbf96b2483a1645f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\loagz.exe

Filesize
172KB

MD5
278af57475f0340ffb16e863c8cb9b1b

SHA1
c6278f3cfadf1e36b7ea353bfb854c0cabbd78da

SHA256
a91682c4dae6546f0ee09dc2728cf316040563fff2174c2def203a948d773a50

SHA512
e9c343e8199909044baf593ab2c40cceb98dffaeeb209e6cb4ce6bd3d843c52896c36bb5d44c8c13c9f1630fdfcd5abd6a9049d2e6c5f0e033f3587e35ed928c

Download Submit
memory/748-48-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/748-46-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/748-38-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/748-47-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download
memory/748-39-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download
memory/748-42-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/3184-17-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/3184-0-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/3184-1-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4028-20-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/4028-41-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/4028-21-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4028-12-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/4028-13-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing