urelas | f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ce

General

Target

f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
Size

325KB
MD5

eab16fabf805f96807856a0c861691f0
SHA1

03ea520ecbb5f02f97319c69a6c733d03d4fb2c1
SHA256

f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ce
SHA512

2b8cf1ba430c18afb23b7ccb66d6f5ff999714d06437c363d306a220892413ee73f1b2053620fe55ee6c5cbf6033990037723ae3dc58d29ef3dd55eae0e24388
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI:vHW138/iXWlK885rKlGSekcj66ci5

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sojir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	sojir.exe
2748	siomn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sojir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siomn.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe
2748	siomn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2984	4008	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	88
PID 4008 wrote to memory of 2984	4008	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	88
PID 4008 wrote to memory of 2984	4008	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	88
PID 4008 wrote to memory of 2764	4008	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	89
PID 4008 wrote to memory of 2764	4008	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	89
PID 4008 wrote to memory of 2764	4008	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	89
PID 2984 wrote to memory of 2748	2984	sojir.exe	103
PID 2984 wrote to memory of 2748	2984	sojir.exe	103
PID 2984 wrote to memory of 2748	2984	sojir.exe	103

C:\Users\Admin\AppData\Local\Temp\f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
"C:\Users\Admin\AppData\Local\Temp\f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\sojir.exe
  "C:\Users\Admin\AppData\Local\Temp\sojir.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\siomn.exe
    "C:\Users\Admin\AppData\Local\Temp\siomn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ebdf1267d2e6846a1f521c8f1b6f74ca

SHA1
219b98873404f0a8ceb431fcbb903a317f23ab28

SHA256
055aedc76fce6d5aa59a0768f1e6345449751ebfa6c393f5399b3ffc805648ec

SHA512
449066aa1893658791bfb9b41aabcbaa1c0506041b062abda45c251d94f90478d533796f8352d3edd1bd4d0caa5c8044a8d4a539967315715eca69ca0614a669

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e64a4ac5963e319a99438332e2107348

SHA1
6cd46d96c60dd006c140ada25c84e6311eceb666

SHA256
6797c6c2273952b9a4f1084888eb3a9218e9943fa7675e640bf8c5c6430af551

SHA512
2d24e5a1dc161019f0da7f85b31dc764951e94d7c9b50d0f15c69d288407da387b7d67f07976417e29abf6d7ee9d11812d75983b5c33ba3524dbaf70c2ca9b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\siomn.exe

Filesize
172KB

MD5
070333de261017ed9ef225ecec3c0db2

SHA1
4ccb7f308d285dde2f13f60ce540bc62392010a2

SHA256
d3f562069f8bcbb6775c936127d758661fa83da21bbeb06541ae2fcdb0197f6e

SHA512
3edcf321c9a937689600e8f7a0ff948726fed35b01325d6bcaf4f3c83533c28eaf0b6a9a369f03e79514a16989fb566259b77d8eae11da99959e38867227f829

Download Submit
C:\Users\Admin\AppData\Local\Temp\sojir.exe

Filesize
325KB

MD5
52107d8dbd434b4f2554f43299c3445c

SHA1
21380e2a0123f6e19ced36e29c09111999658beb

SHA256
4d1195e64187327765aefb2c9842d3ba3af902e692ba06868e2e500ff69b1ab7

SHA512
8a64c0c41fd6a70b5c4f21b2352d8f1a2ce30bcdc40f53d8e8327e118a464fcf75b9dfba98a7e53180c6ed5c37ff08ade52c5af0c1ad6993594058e0da1241bf

Download Submit
memory/2748-47-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2748-46-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download
memory/2748-45-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2748-37-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2748-41-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/2748-38-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download
memory/2984-14-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2984-20-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2984-19-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2984-40-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2984-13-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/4008-16-0x0000000000C70000-0x0000000000CF1000-memory.dmp

Filesize
516KB

Download
memory/4008-0-0x0000000000C70000-0x0000000000CF1000-memory.dmp

Filesize
516KB

Download
memory/4008-1-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing