urelas | 4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f

General

Target

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Size

333KB
MD5

af649e88296ceb9e1d695358491cc750
SHA1

830da14bc248fa18205b5a0cbdb812734ca69b58
SHA256

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f
SHA512

95bf144918ca6ccbfb7d9598f8f35e466cc92231c2cdf83675fc95ef5c75a56024f3148801850e4acf64ba7e00d361db3edf0aece87dcb27c3e57e623e57190a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPy:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	zixut.exe

Executes dropped EXE 2 IoCs

pid	Process
2240	zixut.exe
4908	ikduw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikduw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zixut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe
4908	ikduw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 2240	3968	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	88
PID 3968 wrote to memory of 2240	3968	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	88
PID 3968 wrote to memory of 2240	3968	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	88
PID 3968 wrote to memory of 2200	3968	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	89
PID 3968 wrote to memory of 2200	3968	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	89
PID 3968 wrote to memory of 2200	3968	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	89
PID 2240 wrote to memory of 4908	2240	zixut.exe	102
PID 2240 wrote to memory of 4908	2240	zixut.exe	102
PID 2240 wrote to memory of 4908	2240	zixut.exe	102

C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
"C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\zixut.exe
  "C:\Users\Admin\AppData\Local\Temp\zixut.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\ikduw.exe
    "C:\Users\Admin\AppData\Local\Temp\ikduw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
51eb60591001633f51a3690f0d69b21c

SHA1
2c5ab7a2e840ff3b4a81c85dd668ff6908dd31b3

SHA256
00b3935a5e5c00cc5640df9e92aa90903353835e2e1371adcd507be48aa3bdf7

SHA512
de8273739713c511957d81e151d4109d17a9d7d6f5322bf166869ad8a8f90d38b96586523009d6bcf425c257709131de69a0fbbb99209b533eb330c73836a217

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4b55f51e62ff3a83914be283fe17174b

SHA1
6da88a2c0c6bb8c7cefc02444ca9a1bf10838fc7

SHA256
6ae8a9413531e3135b816faa76ec2f36c74f6d4965c5212089980e18346c1b0d

SHA512
f7134c517d5c56451cddd8ef9175e564719e4070758fa519e25ad8a4e69369c6ea1ef0a462a6f0d17da4a563a5c6b98fa07faeb1537869fe6333668b1fcce367

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikduw.exe

Filesize
172KB

MD5
80efd46e93049ea7417a41d6d5abdfa6

SHA1
faf4d8fa78c38c5022a8f977bc4d619b824a02af

SHA256
fad95f366e86638a8150a98c0df946ea0099c32fe9ab61d861f777c804d308f9

SHA512
51cbdbd9362e05ac48a9de00f5281f65d85c6eb6137de2ce37025003b37ac6eeb64a5a5c066190c34ec9ed116b6b5703515f3d4276a1fa769e941f06716eb1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zixut.exe

Filesize
333KB

MD5
167cfd11e1c73fb74ed4a1832401d287

SHA1
26949522c2d3d44756ff7351622b63d83681d6ea

SHA256
db210e95a2417d059f721ad15a521946558c0970b962c2ba2e86702ed7b20818

SHA512
b439ef7fd68595961eb7c787a59839fca645e3eb8d9d8cb0768b8937d9cc6caf9d316511558ee66a0f2dcb7744cc082e9def55057d596c21bd24c388cf115e78

Download Submit
memory/2240-20-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2240-19-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/2240-14-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2240-10-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/2240-40-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/3968-0-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/3968-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3968-16-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/4908-38-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/4908-37-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/4908-41-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/4908-46-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/4908-45-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/4908-47-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing