urelas | 0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a

General

Target

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Size

446KB
MD5

019dd5686e62593b1a205d4d1a4b85d0
SHA1

2e9ecbe2eb2d55692a299be7f155117284f077de
SHA256

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a
SHA512

c083b7175daca3d47ca5e6b723de9178367be5dc1cd6a49f2509649e245a73ff83ca05e52626c0971dda3bd1c176d2182c40b1a884c1963bf9b20e77c3e43460
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoG:PMpASIcWYx2U6hAJQnS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exetylow.exeidfoca.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	tylow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	idfoca.exe

Executes dropped EXE 3 IoCs

Processes:

tylow.exeidfoca.exetehos.exe

pid	Process
872	tylow.exe
3196	idfoca.exe
2584	tehos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tehos.execmd.exe0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exetylow.execmd.exeidfoca.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tehos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tylow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idfoca.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

tehos.exe

pid	Process
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe
2584	tehos.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exetylow.exeidfoca.exe

description	pid	Process	procid_target
PID 2912 wrote to memory of 872	2912	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	86
PID 2912 wrote to memory of 872	2912	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	86
PID 2912 wrote to memory of 872	2912	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	86
PID 2912 wrote to memory of 1112	2912	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	87
PID 2912 wrote to memory of 1112	2912	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	87
PID 2912 wrote to memory of 1112	2912	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	87
PID 872 wrote to memory of 3196	872	tylow.exe	89
PID 872 wrote to memory of 3196	872	tylow.exe	89
PID 872 wrote to memory of 3196	872	tylow.exe	89
PID 3196 wrote to memory of 2584	3196	idfoca.exe	103
PID 3196 wrote to memory of 2584	3196	idfoca.exe	103
PID 3196 wrote to memory of 2584	3196	idfoca.exe	103
PID 3196 wrote to memory of 4660	3196	idfoca.exe	104
PID 3196 wrote to memory of 4660	3196	idfoca.exe	104
PID 3196 wrote to memory of 4660	3196	idfoca.exe	104

C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
"C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\tylow.exe
  "C:\Users\Admin\AppData\Local\Temp\tylow.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\idfoca.exe
    "C:\Users\Admin\AppData\Local\Temp\idfoca.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\tehos.exe
      "C:\Users\Admin\AppData\Local\Temp\tehos.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
8793e8e433434c5cee43ad475aa4d66c

SHA1
d351f2ad621f15703700f01be489c6557b2cb6cd

SHA256
9fe8bc2c5103c12e5bf4e54e427889bd1f8f00c98482a455c474829d13300e58

SHA512
528537bc19535f822498b561840c4b81524101b2656c6b0eab4e83e36841f99e20d8d54fe7923f3b7e48e007e062b01a2cd4fc2ff93354e26597f061a1e971d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7e0f5928224d957b72bbb7e195ad6499

SHA1
19b898ab2f71bc201fab6d8662d2a4b6028ecb0e

SHA256
a58b35ed3c9cda877a2f96a2b019502e7b99d33434f96db3ab59b7370239d2e2

SHA512
b9a17d76d934f9a0ae8c2a2c6efb4335a73168069c2a097092b4839230bb771adcf2d2c9d255ebb74e6730a1433a5913339515de7d50a30f64ce7d3499acd10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dc1147e454d40bb246c70bc0bc3e092a

SHA1
4355bd121431b258ff718b2a8c0f0132c626e999

SHA256
fe43f36637f620622d5774b6febdd55e9931a8a7722e7292a8d75cfab3c67dd7

SHA512
c0b40482d63b44be20462e81951cc80a130b87575e8552293c23119dfa53a3db7f8a8a03122bf72129704a24226b9e8fd168f274dd9d2176893b3d4ae9c9eb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\idfoca.exe

Filesize
446KB

MD5
f3d887e820f343c6dcb590adb3d06456

SHA1
768b7863ac0a6acbfcf1af09d6a6113d7d3b978a

SHA256
392fffeaddb1f1a16bbbe46541eaa273f65cb9061599b72137b47385f6c27a04

SHA512
456575d1f805a8b09ae87d95486970d73ef991d679f359f6f7fd5db2608ea1fdf36abeda34c0190bb532a39915ec072d4f5c4e65d9e8b1ea83a2c5f245ba089c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tehos.exe

Filesize
223KB

MD5
f2081d233486e2cbbd3d0b39d43b825a

SHA1
8ef3639884190de3d092254d4148a3bbb30c7e4f

SHA256
87db05f636421f296cc7a8bd2ed2e3c1237b5b478161d0052803ee49b76e9e7f

SHA512
9054c22c049aa2d21c17862c318cc3331d5630af312471362d891410561a73400736ada0068659240647924d1dc300cb2df4496a789dc7e12d32201175b5c26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tylow.exe

Filesize
446KB

MD5
fd65e539ec8709203c44524c6b25e0f8

SHA1
4c9b0a73f136846825f165a7545abfcb623eb774

SHA256
c7f6bbd0319be66a78e1b14f6505af35f414a7eb0db71d768a788e53843e48bb

SHA512
0b5befc3e6ee25bd85dc0e1eff88cb85b172c4fa179f086aab42553c98e670150fa1886d790ab94e49027fbb6864c79e89095228cf849d735f164e02ea91f409

Download Submit
memory/872-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2584-36-0x0000000000790000-0x0000000000830000-memory.dmp

Filesize
640KB

Download
memory/2584-41-0x0000000000790000-0x0000000000830000-memory.dmp

Filesize
640KB

Download
memory/2584-42-0x0000000000790000-0x0000000000830000-memory.dmp

Filesize
640KB

Download
memory/2912-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2912-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3196-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3196-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads