urelas | 111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7

General

Target

111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
Size

333KB
MD5

3e1dbcc7e3805d50b0a4c74f3e0adf00
SHA1

83830eb0f615665b0eade43144fbbfc8bc92178b
SHA256

111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7
SHA512

0d737ad20eb071e8c4da7a8a6915500bc8e1fd441274f8a27d4193beea033c1e859406442972ef8680444eeb143111ff7a53c56ec9ebb9f82b53e2e7721899ca
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYe:vHW138/iXWlK885rKlGSekcj66ci7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	jeabv.exe

Executes dropped EXE 2 IoCs

pid	Process
1440	jeabv.exe
2036	koojf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koojf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeabv.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe
2036	koojf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1440	2092	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	88
PID 2092 wrote to memory of 1440	2092	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	88
PID 2092 wrote to memory of 1440	2092	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	88
PID 2092 wrote to memory of 5068	2092	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	89
PID 2092 wrote to memory of 5068	2092	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	89
PID 2092 wrote to memory of 5068	2092	111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe	89
PID 1440 wrote to memory of 2036	1440	jeabv.exe	107
PID 1440 wrote to memory of 2036	1440	jeabv.exe	107
PID 1440 wrote to memory of 2036	1440	jeabv.exe	107

C:\Users\Admin\AppData\Local\Temp\111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe
"C:\Users\Admin\AppData\Local\Temp\111c0686d08c0ff0ecf08a7c0e54b9a48e67da9903bcc9b56763b57b7e7a04c7N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\jeabv.exe
  "C:\Users\Admin\AppData\Local\Temp\jeabv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\koojf.exe
    "C:\Users\Admin\AppData\Local\Temp\koojf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e0ad251730094b81ce3f28e9c15484d1

SHA1
d22bea5a5f72b202e9f4d7f0accce4de1ffeb74a

SHA256
ea754f1ac13ad6ad9e1f65fdbfaa3cc549ef395a6e2bf273d75d1043491121cc

SHA512
c550231c0d52218ad5013c1b016906c50c1444bc6cc44ef6e6ae8baa502c4880c0304bc6f87ce83b61112a242ac73aebe109af6d21b5db3e170e6824cf40967f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6d4aaf7ce3d082339c4daea06248b6fd

SHA1
e3181e8cbb2cef00ff5b196b554100838ce1b883

SHA256
a409e2f7395a3113554eb758c4f89ec6d425f64aae3d61be3eef79a8fa28da75

SHA512
f40b79014134c416f017eb48e9941fa8977c2ff14ed789cebcb1731605f911bf6f1f7e58c82892d529a5e9fa05b3b779adfad82b36b6276064b323a899094874

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeabv.exe

Filesize
333KB

MD5
850fafc69fad78520540e753428c85b2

SHA1
4cfce6ce31623e6789b81392c4a33bbd3bd41108

SHA256
da4cec7a204c16ec0909cdf30989bdeda6f010ceb12dfd037ad96533c2a6fdef

SHA512
8d1bdc6ccab2dbeed185cb5d66c55d01903114020d7ce4f880c731c7353708ad80998da3f5dfbb5b2eaa3dbd9831809c858086f936c50365f0bdc2c577eaa374

Download Submit
C:\Users\Admin\AppData\Local\Temp\koojf.exe

Filesize
172KB

MD5
e367eb1774cf7b0216ed8d90fdbfe27d

SHA1
06c3b7a24e6b4b040de84d43ba82fee5e1b376b9

SHA256
d730463caad58046826399eaf0f15751de6270c360c65ccaa87b1dc5ce4548be

SHA512
7b0fbbc3d1fab4fe793fd1fa12b491bb729912162ec147c174d8693d027aafb4f123e0003a8f0d3c18bbb5d7c0427c56c3e6fd32240482229f03cd566634bbba

Download Submit
memory/1440-20-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1440-21-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/1440-12-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/1440-13-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1440-41-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/2036-42-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/2036-39-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2036-38-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/2036-47-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2036-46-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/2036-48-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/2092-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2092-0-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/2092-17-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing