urelas | 115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8

General

Target

115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
Size

552KB
MD5

4489826c2eca1eb1a0123c0c46e6aca0
SHA1

1c006df93d42fa028e21a7f98c6ac8afc5198b25
SHA256

115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8
SHA512

b978da9070fb82166238114fb80f5b48acb6249a0854e5bc0fb695e759684f6e744282ff3c03c074ecf448b873d9993dd085e82c5e572b83b334c3a7435b0456
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzl8:+rt4/NArwjs5ol8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	jiwun.exe

Executes dropped EXE 2 IoCs

pid	Process
380	jiwun.exe
3044	ufvic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4656	3044	WerFault.exe	102
2728	3044	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiwun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ufvic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 380	3908	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	88
PID 3908 wrote to memory of 380	3908	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	88
PID 3908 wrote to memory of 380	3908	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	88
PID 3908 wrote to memory of 2728	3908	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	89
PID 3908 wrote to memory of 2728	3908	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	89
PID 3908 wrote to memory of 2728	3908	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	89
PID 380 wrote to memory of 3044	380	jiwun.exe	102
PID 380 wrote to memory of 3044	380	jiwun.exe	102
PID 380 wrote to memory of 3044	380	jiwun.exe	102

C:\Users\Admin\AppData\Local\Temp\115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
"C:\Users\Admin\AppData\Local\Temp\115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\jiwun.exe
  "C:\Users\Admin\AppData\Local\Temp\jiwun.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\ufvic.exe
    "C:\Users\Admin\AppData\Local\Temp\ufvic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 216
      4⤵
      Program crash
      PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 236
      4⤵
      Program crash
      PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3044 -ip 3044
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3044 -ip 3044
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0f0d77ec69a66789ea072d5c8bf4594a

SHA1
c531b09c9e1045cf2542b197c269453be309d407

SHA256
170ab95cdfdf6d30e989295586f58aa23a84d8323a7af784439881b2577b8259

SHA512
144ce94591a25576edf368de017aa70a81af0db83464c23931143c4da632667520a23ba95487c034e5067ed45397dace571f3efb300957611d28bf749d617de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
32b40bf9d69549652a9c59998ac06ff9

SHA1
facd3d74e6cf562bfd6f9dd6273e900a7311b6df

SHA256
8e3c624f7da8f7351522800d91850c70fabbd7a6b5a27ebde2cf882a6f4cb2a4

SHA512
03dcf06b604ba331b44a707e646077f4a42c57f628b3005fa90ee673c589b031c43d6fe91f90ebe13507fa90cef7eda7549ada3edb1087a3a23c2363d3f7f8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiwun.exe

Filesize
552KB

MD5
cc1e4d88df2786acd1028420cfd8e63b

SHA1
32229038c4628f97c8a1ccdcf1205ce26205cd7c

SHA256
adf054e347b7c20c438c7b59a1c70251e0dae2ea4b096cafcd076660dcd3e80f

SHA512
159aa968d21845a6e46e0e89fd525f4743136dcf76e735b5750ffe2c7e16a57b2ce74001b66380dfa6b97f2b4194b990996c5a998a42985879c14ff1863fbeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufvic.exe

Filesize
231KB

MD5
58c0e93a7f1f89abf5a5d70ff8bb7c39

SHA1
cbf603c5b645d83d8b5a5580deddbe973724488d

SHA256
d41a8373e75ebe3e449eed1b77e136b0d55a65f3a91974d73056f125555343d4

SHA512
37409b7bce35a75fd44ca398a1a406da30da3f13dec60d20775e69851115f1a6e994c74769287859806ed75eae2fea50676853d271f95ef0409013cb84b5346d

Download Submit
memory/380-12-0x00000000000B0000-0x000000000013F000-memory.dmp

Filesize
572KB

Download
memory/380-17-0x00000000000B0000-0x000000000013F000-memory.dmp

Filesize
572KB

Download
memory/380-27-0x00000000000B0000-0x000000000013F000-memory.dmp

Filesize
572KB

Download
memory/3044-26-0x0000000000CD0000-0x0000000000D83000-memory.dmp

Filesize
716KB

Download
memory/3908-0-0x00000000006B0000-0x000000000073F000-memory.dmp

Filesize
572KB

Download
memory/3908-14-0x00000000006B0000-0x000000000073F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing