urelas | 576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6

General

Target

576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe
Size

334KB
MD5

c8bad9053e92de4f01b9f1ec020320c0
SHA1

03946e22d4ad01c409006b058cb6b01e83e4bc7f
SHA256

576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6
SHA512

b3dee39c5f133119e01e9a4d5fb0b8d1d6bd6b0ac4b5c295999f314bd50d6765139e042ca9577d1cf83ba202dbdf08300ffa8e67293c0e0753ae6e21c09bdeb7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPf:vHW138/iXWlK885rKlGSekcj66ciG

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	jyqof.exe

Executes dropped EXE 2 IoCs

pid	Process
2636	jyqof.exe
1812	nowue.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyqof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nowue.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe
1812	nowue.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2636	2852	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe	88
PID 2852 wrote to memory of 2636	2852	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe	88
PID 2852 wrote to memory of 2636	2852	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe	88
PID 2852 wrote to memory of 4856	2852	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe	89
PID 2852 wrote to memory of 4856	2852	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe	89
PID 2852 wrote to memory of 4856	2852	576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe	89
PID 2636 wrote to memory of 1812	2636	jyqof.exe	107
PID 2636 wrote to memory of 1812	2636	jyqof.exe	107
PID 2636 wrote to memory of 1812	2636	jyqof.exe	107

C:\Users\Admin\AppData\Local\Temp\576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe
"C:\Users\Admin\AppData\Local\Temp\576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\jyqof.exe
  "C:\Users\Admin\AppData\Local\Temp\jyqof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\nowue.exe
    "C:\Users\Admin\AppData\Local\Temp\nowue.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
7f5dc6735a805699f2b181d5c31dce1d

SHA1
c5f2435d44569565343f8aec06d45407e5f07d54

SHA256
c45fecdfb9d5563ee23b3d6cb6ea4b2e1d860284d4f4a00dc218cd32682b440f

SHA512
65a847606f6fd6f608fb4d99e5b8483e6d030c29345c97036f07fc3cf1b98d68c694cde27fd4f79ed36447c6d512c3af7ce5f9e11eff1b5deebb20dfcc0e801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ae91de910d4205d6fdc04a63db04c00a

SHA1
acdfc98391b1866cda6acffc4b794e57bd68a2af

SHA256
9037f86405435262aa434b3422e202669dc0cb93bd68c7a7e207103bc22e9c51

SHA512
e43c1cb6c1a7ac9659cfa6086bda3c3e746e20e9aaf86511da165951564f141fe32c22df9d8c148c56f4b6ed85cd2132284b414ca8454345b81af636a7186fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyqof.exe

Filesize
334KB

MD5
faee1fa7cf0cd17a14f41d666b6d4071

SHA1
8766f5a324e0819cfdc2aee13f55d4b5fab2a17b

SHA256
6bdeb9766e97ce49bd234f722a283466f3b1e2fa0d4bad131b1b8ec28e470912

SHA512
8e66a8b0b0925ab8c1fca61d224e128dc5fb2426a9038094442e2caebd767f67b1e708b792470ca40e20f7b00bc28c95fd83edfbf94713e6c3103afa773f7f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nowue.exe

Filesize
172KB

MD5
0addb9474b95a09f9ac2c868ac87ad97

SHA1
2d78403a2f96d8a6c6940d66422551dad8064746

SHA256
0e6c8ce4b7d1dab923c7b157b85f57ffb4b5c026d4808dff1c648defdfef0bf5

SHA512
5b949b175dc88bd5e80332b5a68080554dc84dc381e85fe802e9bf1c8659c80e3851e7f9cdc854f3cec672d4058394c44df48d0313b991a4bf7b695c30e023d8

Download Submit
memory/1812-38-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/1812-47-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1812-46-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1812-45-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/1812-41-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1812-37-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/2636-20-0x0000000000BA0000-0x0000000000C21000-memory.dmp

Filesize
516KB

Download
memory/2636-40-0x0000000000BA0000-0x0000000000C21000-memory.dmp

Filesize
516KB

Download
memory/2636-13-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2636-11-0x0000000000BA0000-0x0000000000C21000-memory.dmp

Filesize
516KB

Download
memory/2852-0-0x0000000000940000-0x00000000009C1000-memory.dmp

Filesize
516KB

Download
memory/2852-17-0x0000000000940000-0x00000000009C1000-memory.dmp

Filesize
516KB

Download
memory/2852-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing