urelas | fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40

General

Target

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
Size

330KB
MD5

43e55807dae4d469554634d521bb51f0
SHA1

cd78a7587dc2931f3ad025fd5e369bfbf6c54878
SHA256

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40
SHA512

81230acc56d16dc626b4847ee168f5cadd701793be92f275cb4b6a8acb4f10470e1c927ee790fb02f403ee9428b7ab5c56383c093108086f327d5c86b6009f87
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVt:vHW138/iXWlK885rKlGSekcj66ciEt

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exejedet.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	jedet.exe

Executes dropped EXE 2 IoCs

Processes:

jedet.exehucol.exe

pid	Process
4580	jedet.exe
4676	hucol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

hucol.exefe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exejedet.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hucol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jedet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

hucol.exe

pid	Process
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe
4676	hucol.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exejedet.exe

description	pid	Process	procid_target
PID 4328 wrote to memory of 4580	4328	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	88
PID 4328 wrote to memory of 4580	4328	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	88
PID 4328 wrote to memory of 4580	4328	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	88
PID 4328 wrote to memory of 628	4328	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	89
PID 4328 wrote to memory of 628	4328	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	89
PID 4328 wrote to memory of 628	4328	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	89
PID 4580 wrote to memory of 4676	4580	jedet.exe	102
PID 4580 wrote to memory of 4676	4580	jedet.exe	102
PID 4580 wrote to memory of 4676	4580	jedet.exe	102

C:\Users\Admin\AppData\Local\Temp\fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
"C:\Users\Admin\AppData\Local\Temp\fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\jedet.exe
  "C:\Users\Admin\AppData\Local\Temp\jedet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\hucol.exe
    "C:\Users\Admin\AppData\Local\Temp\hucol.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6963e781731c44b4603e976d68b34d16

SHA1
610d6c8fe21974500a7c5cae1fb2e0f66ce0ba6a

SHA256
26d4e480f403deb561e51a66ac74935f3b62ff48eea3ce41db69e2c7a96db75c

SHA512
0111e482caf7687b3e9ef9e365a483602d31135e6410dc481c67d2b83826f43203c3d5d8066858d781affa545ee12cf04e9c3aa0a6c5ecca275e86ec6a9a6921

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0c37b728f4f4ce7efb9e6269c8119ffa

SHA1
211fb7de66a1023febdb0841ea6e4999ff6a1b52

SHA256
9af8cc5a6ac6d3f307ac8d96f0c5fdcc4d2d5bef6014e4669f446b2708458331

SHA512
16468a3fe0fe26abf699457d365433e1f6174c501beedd38abba127645ba5656a4b2eb1d340c58998ab9b9a4fd8dba2887406415b7caf367fe30696c3476933d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hucol.exe

Filesize
172KB

MD5
3dc21fc7dbc81369b690080c5b71cb0e

SHA1
11c3fcb9715395066a1c214954d081518ff5baa2

SHA256
3baad1ec5ef9f629f1a8aa70982ee50b047b495d865f265cb51901f2198c9e11

SHA512
8efea0ffeaa018c604f1cf05b04bff9ac03f2d2ee971e846e8c73ce92c95071cba400c0328c8c30e6540e039fc0f55f5c1e6a3ac1582c507d814365ee3b55176

Download Submit
C:\Users\Admin\AppData\Local\Temp\jedet.exe

Filesize
330KB

MD5
700e91159334bf20f47c694b4f014cca

SHA1
61dee34e3cc3f432fdd743489c16dffce62a5b88

SHA256
42b2101f0d97bfed26024cedbe74cc53ddca4d7a5478530059a7bbd2370e25f7

SHA512
ae0d43f6c7fd2646d7ad1292ae968822ad208152714f8837cee39ab0c96d5da29d88f3520e66099f9cf19d449d78b3d53bcd6f82577d42ef53579d7f81686d7e

Download Submit
memory/4328-1-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4328-0-0x0000000000620000-0x00000000006A1000-memory.dmp

Filesize
516KB

Download
memory/4328-17-0x0000000000620000-0x00000000006A1000-memory.dmp

Filesize
516KB

Download
memory/4580-20-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/4580-13-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/4580-14-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4580-39-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/4676-40-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/4676-37-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/4676-41-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/4676-46-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/4676-45-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download
memory/4676-47-0x0000000000660000-0x00000000006F9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads