urelas | 13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398

General

Target

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
Size

332KB
MD5

d4dc0d308df5e95206a3996e1826e0f0
SHA1

11d31cdf3db5943ad568af9beb1ea22138a29ecf
SHA256

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398
SHA512

3a12527907ea4a9a10bffb8401dc3218c58a29e7e0782bfde678b99f327dd5f99b506fef43e15d7927aea1e44515e14375f240226f22fff1e20ac5355234c092
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVj:vHW138/iXWlK885rKlGSekcj66ciEj

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	toegp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe

Executes dropped EXE 2 IoCs

pid	Process
3792	toegp.exe
1432	miixv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miixv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toegp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe
1432	miixv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3792	3000	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	87
PID 3000 wrote to memory of 3792	3000	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	87
PID 3000 wrote to memory of 3792	3000	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	87
PID 3000 wrote to memory of 1432	3000	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	88
PID 3000 wrote to memory of 1432	3000	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	88
PID 3000 wrote to memory of 1432	3000	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	88
PID 3792 wrote to memory of 1432	3792	toegp.exe	101
PID 3792 wrote to memory of 1432	3792	toegp.exe	101
PID 3792 wrote to memory of 1432	3792	toegp.exe	101

C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
"C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\toegp.exe
  "C:\Users\Admin\AppData\Local\Temp\toegp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\miixv.exe
    "C:\Users\Admin\AppData\Local\Temp\miixv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b894925e57c9f98debe0a09b905518fe

SHA1
68c2149448f56c2057df9ef76fd227a18b9d39bc

SHA256
8ffdf586ab3ce73a65dd5548babe3b33cc4fbd3a941fb975cd821a9027f42783

SHA512
0b97ccd3521fc66080efaf5e8b7249f6dd8fbfb993c1ad50bca12240d40a11f5f15251b21dbe8f8563d701d9481576d4c0df121ae58017e1fe3f845c38d22b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b23fd7848425837efb16cef891660668

SHA1
421cd41032a4031907834e21e7423d77019ec4b8

SHA256
c48c983c9a78c02d77c2eaea94864df0b9c29eede9308b0dbeb6cbe6bbdc3f38

SHA512
f12a6154b8d504982743bdbe3647eeefd788ecb114586d9700148b7f38cc4c69b290e861f0ca8c6adfb72d97b6bf8396ab5a50a3ee66426ffa9ee9f63e9ae89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\miixv.exe

Filesize
172KB

MD5
4c05e500151581350ee4acdf8ec2593f

SHA1
d017fef152b0e5ec14de9b497a4e7a70f5545d1f

SHA256
b4a8c21bccc1dd33b62426c080e192d532bc2ac38b8584ac4b2cdb1725fc405b

SHA512
932f05ebf6fca3a797cbaf329990143457266f2f1785c76c6a0425579855cbe9e2b13544ff2686daf8a6d5cc3b40a8bc2bea32917318a01c1820d131875ceec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\toegp.exe

Filesize
332KB

MD5
4b285a69a2bc0710e19485e1947c2eff

SHA1
64e96f1206f6f0e585667c254349c768335a340c

SHA256
7f60d605d53be201c29d9a5a24b8d0cde9181a0288c94d279f7e3ab1a567c6fd

SHA512
962f5cea4974d1541ba7c9b6cf13e8956008f847d6b0d54af490ecb4c620641379593767d9e96fcf36305fdfc115fd461fdd6e746cc7003409f74c681dcacdbc

Download Submit
memory/1432-47-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/1432-45-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/1432-41-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/1432-38-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/1432-37-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/1432-46-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/3000-17-0x0000000000770000-0x00000000007F1000-memory.dmp

Filesize
516KB

Download
memory/3000-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3000-0-0x0000000000770000-0x00000000007F1000-memory.dmp

Filesize
516KB

Download
memory/3792-20-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/3792-40-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/3792-11-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/3792-14-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing