urelas | f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8

General

Target

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
Size

331KB
MD5

d0f5aa37150fd76ed30c94e2ea861360
SHA1

0694a6dfaee9a3d72fb83cff3d059346335cceef
SHA256

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8
SHA512

de106aae556355bd8447b84b996d949c7e1495a14fa89be322eac0a1797b6be2beba68ae232dfd53260723f917a3bdb7a66cfb648f39e59937a09d91070b34bd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYu:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ubcis.exe

Executes dropped EXE 2 IoCs

pid	Process
3120	ubcis.exe
436	dogod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubcis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dogod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe
436	dogod.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3120	4436	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	87
PID 4436 wrote to memory of 3120	4436	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	87
PID 4436 wrote to memory of 3120	4436	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	87
PID 4436 wrote to memory of 3280	4436	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	90
PID 4436 wrote to memory of 3280	4436	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	90
PID 4436 wrote to memory of 3280	4436	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	90
PID 3120 wrote to memory of 436	3120	ubcis.exe	101
PID 3120 wrote to memory of 436	3120	ubcis.exe	101
PID 3120 wrote to memory of 436	3120	ubcis.exe	101

C:\Users\Admin\AppData\Local\Temp\f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
"C:\Users\Admin\AppData\Local\Temp\f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\ubcis.exe
  "C:\Users\Admin\AppData\Local\Temp\ubcis.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\dogod.exe
    "C:\Users\Admin\AppData\Local\Temp\dogod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9d9e06420c3ba86f8414fd83ba47a417

SHA1
cd23edf05181d27f24cb92fbf2d887f2ca2a6f38

SHA256
fd1458e291ed86807ab2ad499830b4d1187514c91e0ec70ef1c340e3baea5855

SHA512
0f2d51a0bd665054cec94b1fb0c8573fb3c681ea0f0b6dc474e9b1d792f81c6ac6461ddd50ed12642c3b447d73155deb0cf90def636dfa5b951ae485d9eef18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dogod.exe

Filesize
172KB

MD5
32f90afc243f0bbbf05940dfe52ea369

SHA1
6cdcc466e23135f340e81bfa45390a6127919bb0

SHA256
dfc7e948201f31889caff45d07cc4e1d55e2202092e9de16a66b701d47c4863c

SHA512
aa4592bda1c523f912e09bf1dfb3834821bbf88127aa0ca187376a1b78e51ebd4a54889ac9bf678041735e6d5a6f68c27ac69e4ee4c15dee81f05099fbc99fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7b638021dfcfd9b1e0636fa74bb7e02b

SHA1
fb6b363b39b40d72786735755a1d4ca75fa1f2a9

SHA256
411518d2928fc0d77035eb600cb38db4c4e33e01b4dd66645a0c793007447805

SHA512
f07e34a272b84b4f40f6d9a8e75cc6814d3bb32f2824f501bc94cc3bf947293691d42fb5e010db03452f18bf07cb21d698b726605c13ec1d655aaf80a5472712

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubcis.exe

Filesize
331KB

MD5
b50adec9ddf86d6a286cd06ce7283d8a

SHA1
ce9b26499c26a8c2c808e9b457ab14c9ef49621f

SHA256
a5fa133cb161b5186da4a0f41b76f7b45c5f6b5499bf10241ac1808c29d6409e

SHA512
dd9fd10719c6aee2485512194a4c2cd89b3ec8bda3195dfdb5ed568c23861e04dd54d4be79885267ff697aa80f472a5c03d9835d62f63c1355ced9d86fdbf513

Download Submit
memory/436-46-0x0000000000480000-0x0000000000519000-memory.dmp

Filesize
612KB

Download
memory/436-45-0x0000000000480000-0x0000000000519000-memory.dmp

Filesize
612KB

Download
memory/436-40-0x0000000000480000-0x0000000000519000-memory.dmp

Filesize
612KB

Download
memory/436-41-0x0000000000460000-0x0000000000462000-memory.dmp

Filesize
8KB

Download
memory/436-37-0x0000000000480000-0x0000000000519000-memory.dmp

Filesize
612KB

Download
memory/3120-20-0x0000000000F50000-0x0000000000FD1000-memory.dmp

Filesize
516KB

Download
memory/3120-43-0x0000000000F50000-0x0000000000FD1000-memory.dmp

Filesize
516KB

Download
memory/3120-14-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3120-11-0x0000000000F50000-0x0000000000FD1000-memory.dmp

Filesize
516KB

Download
memory/4436-0-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/4436-17-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/4436-1-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing