urelas | 105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2

General

Target

105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
Size

333KB
MD5

6d61e7016b9e79cdbf94a20528deb790
SHA1

72cfd35595e436fc26b396829865860a6033d16e
SHA256

105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2
SHA512

3a4a566107d6fd420ed9a698f15fd7f21b87b7346bbc5bc60418a746cf610e9acd51cedc5967334203ef85b357bbb46fba1382d304ea79aed2dd3ef817474259
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYP1:vHW138/iXWlK885rKlGSekcj66ciU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	miajh.exe

Executes dropped EXE 2 IoCs

pid	Process
1892	miajh.exe
4624	otlil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otlil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miajh.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe
4624	otlil.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1892	5016	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	88
PID 5016 wrote to memory of 1892	5016	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	88
PID 5016 wrote to memory of 1892	5016	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	88
PID 5016 wrote to memory of 4492	5016	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	89
PID 5016 wrote to memory of 4492	5016	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	89
PID 5016 wrote to memory of 4492	5016	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	89
PID 1892 wrote to memory of 4624	1892	miajh.exe	108
PID 1892 wrote to memory of 4624	1892	miajh.exe	108
PID 1892 wrote to memory of 4624	1892	miajh.exe	108

C:\Users\Admin\AppData\Local\Temp\105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
"C:\Users\Admin\AppData\Local\Temp\105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\miajh.exe
  "C:\Users\Admin\AppData\Local\Temp\miajh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\otlil.exe
    "C:\Users\Admin\AppData\Local\Temp\otlil.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
441c87551637a84f08ae74cd4c8c9286

SHA1
bff75f032dd3f7a6d5d6be25c133863eddb72160

SHA256
5fced4c18367383971f8c5e943107bb8862067f337b52276d78173c5067506ce

SHA512
0ea48323913dffac9ce728c0461c85388b2a7cd6369aa74be75ededb90b772e6cbd3b5c2f8b49202f8599b206379dd944bec1e26b3c6a1ae59e8f77356793718

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
48012d7024fa7cf87b63ef2ca8006c79

SHA1
544f08ed5381ed2de1ed6b0d3003565227f132de

SHA256
24c5daa49591f1571e709feb480161957b6fa725a7817c9785ff06c999d2b2d6

SHA512
7d29dd241f3cb621183fb0c38bd3371cca46bced08bf2e3b0403f86a09662277c28c6153b0bd2f5853106ff33db73fb91bd38b60781bcbe0fbab760137de9a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\miajh.exe

Filesize
333KB

MD5
9279b9097feea5dc19cf2176c0f42907

SHA1
c81f4c5e0c00d8cb89d0fb4dc43a48ed78b596f1

SHA256
2f6a1df971c0a9ba7178869088710bad02f583de2047a3015a190889d308c130

SHA512
1cad93e1266b986704f9f868101a417d396beeab46ba1f4273b2384fb423f5e0ede855b5afd14eb7f6c4ec6ec500c21c2483fb3f12e5a1e1c06445c6bd90024f

Download Submit
C:\Users\Admin\AppData\Local\Temp\otlil.exe

Filesize
172KB

MD5
78ce1dcc217984e89b22c2d6f0c54567

SHA1
93d12dd8f7c9b033da12362a9c75d9236e38d747

SHA256
52ea791391e06a5f409ec707023e377a5f1244fd4bff651458d0785c3f1aa540

SHA512
31e2694cc544605b78b6515350c153ac1929b7ef149a2914b219f2c948c214a41c605e31512c8f606a65765605ab0996954d8479d3c5b196c855d061528b2df6

Download Submit
memory/1892-20-0x0000000000620000-0x00000000006A1000-memory.dmp

Filesize
516KB

Download
memory/1892-13-0x0000000000620000-0x00000000006A1000-memory.dmp

Filesize
516KB

Download
memory/1892-14-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1892-43-0x0000000000620000-0x00000000006A1000-memory.dmp

Filesize
516KB

Download
memory/4624-38-0x0000000000C50000-0x0000000000C52000-memory.dmp

Filesize
8KB

Download
memory/4624-40-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/4624-37-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/4624-45-0x0000000000C50000-0x0000000000C52000-memory.dmp

Filesize
8KB

Download
memory/4624-46-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/4624-47-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/5016-17-0x0000000000740000-0x00000000007C1000-memory.dmp

Filesize
516KB

Download
memory/5016-0-0x0000000000740000-0x00000000007C1000-memory.dmp

Filesize
516KB

Download
memory/5016-1-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing