urelas | d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127

General

Target

d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
Size

402KB
MD5

4b72cb7dd2593e7d26485ab3f41c24e0
SHA1

3e9703abf1d2466afcb8ad4a67251702e4f7ad89
SHA256

d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127
SHA512

1c620ede140af2d52e170c763be53a2ffc3fd3ed378e45ad234b5ad8d22521d2083ba1cf644b7c6613dc0bcc42a87ae18b8a3384f52f7b7ba5026ece9a924dd3
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohCq:8IfBoDWoyFblU6hAJQnO1

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

usmiva.exed81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exemuruh.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	usmiva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	muruh.exe

Executes dropped EXE 3 IoCs

Processes:

muruh.exeusmiva.exeqouzf.exe

pid	Process
4688	muruh.exe
4160	usmiva.exe
2408	qouzf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

muruh.execmd.exeusmiva.exeqouzf.execmd.exed81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muruh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usmiva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qouzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

qouzf.exe

pid	Process
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe
2408	qouzf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exemuruh.exeusmiva.exe

description	pid	Process	procid_target
PID 4832 wrote to memory of 4688	4832	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	84
PID 4832 wrote to memory of 4688	4832	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	84
PID 4832 wrote to memory of 4688	4832	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	84
PID 4832 wrote to memory of 2188	4832	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	85
PID 4832 wrote to memory of 2188	4832	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	85
PID 4832 wrote to memory of 2188	4832	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	85
PID 4688 wrote to memory of 4160	4688	muruh.exe	88
PID 4688 wrote to memory of 4160	4688	muruh.exe	88
PID 4688 wrote to memory of 4160	4688	muruh.exe	88
PID 4160 wrote to memory of 2408	4160	usmiva.exe	103
PID 4160 wrote to memory of 2408	4160	usmiva.exe	103
PID 4160 wrote to memory of 2408	4160	usmiva.exe	103
PID 4160 wrote to memory of 4404	4160	usmiva.exe	104
PID 4160 wrote to memory of 4404	4160	usmiva.exe	104
PID 4160 wrote to memory of 4404	4160	usmiva.exe	104

C:\Users\Admin\AppData\Local\Temp\d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
"C:\Users\Admin\AppData\Local\Temp\d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\muruh.exe
  "C:\Users\Admin\AppData\Local\Temp\muruh.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\usmiva.exe
    "C:\Users\Admin\AppData\Local\Temp\usmiva.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\qouzf.exe
      "C:\Users\Admin\AppData\Local\Temp\qouzf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
70c8f54bc0284daac5552014baa05ae3

SHA1
61c00780d14c91ab95f10637f045b87c55e17796

SHA256
97e8a3cd26cbc692a7f4737c254d39bf0ca289b25748221b8d0b9bdcd9e1442b

SHA512
bcc826b7fea701abd303d6aa9f140eaf8fefa04171b58ffe43879e49d4ef9d990ff1838d8cbb7158a52f89fdea10cd1936ad3b3ce1b7d8cbeeae05d236c926cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
f94c012ff4e5fa45f55778df0f3feeb2

SHA1
680b6eefb7a88dadd16a38e25456e8a14a133a76

SHA256
93a0c638363865382e9c9eaf61e37fc2dfe2840c292a69e53403ec07ef270bb8

SHA512
c4b789b0b23e8386d6529ed68ee00c040219bc9e5fb0813f531a475901fcd19804fbc2fce9090a313d8e92468538d9eed67cc94d7cdec09db2e065d52aa85b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
09f1f06a8a17b6edefc482b9ab19faaf

SHA1
546d248b50d4c5f27a8f65429a70eb769970d38c

SHA256
e792e91ab5ac2f329e066246f4a8db1383d484cd564f19f2730ab8bb4f8cbf90

SHA512
1a5ba453b7de8761b848d11d5e1a6014ae52e6b2043a6571127c7b49c8922150bfdf93b1c5c0d41040c0734eb5d7bdde5b017769057dd3e66afb0119a358d46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\muruh.exe

Filesize
402KB

MD5
5577f40377005aefd1e29ef443271daf

SHA1
06eb9052a08cdcf30e09a27751ed9597d591b358

SHA256
8d0a50420fdef87d44140c4f926068d00b9cd2262b022698cca3315639e58090

SHA512
83d297696572da97ee975cb1cdd2b0a9cf883f638020945a6f8b4345c2eeeef74a29be578c68689c69afaecc68ed523f869e5f4c9f8043635959f2b98ddbe02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qouzf.exe

Filesize
223KB

MD5
758ddd6f23906c5905d2a177c407b20b

SHA1
0cab7b81d9a64c05fdff339e4d3960b9cf3b0d46

SHA256
864a1f240206685cb3414d7b395965aaf76f2e393053159ba7218f3f68534d64

SHA512
bdee255c40d379e4ab54a53fe693bbc5e4b2bd5bb9942b1769f8fc318c5cadc332bbedb6e64dbfddecd19164112a772a0d5050afe6c001634d5c4e4079488581

Download Submit
C:\Users\Admin\AppData\Local\Temp\usmiva.exe

Filesize
402KB

MD5
c80f7826dc1c5f90fd3bf3dd6e5c49d9

SHA1
cc73d8db05df08ae1f63e0161af2ad31e2ed83c9

SHA256
d5b5ec5eea4b71099a3e9592a5e0e3fd18a0fd5b36153a337b6d6172b733f040

SHA512
06766b7aee4e445e215e8be781db92f25c8202afed3576b21551534fb799454a3c3b22549d509883da27c6d0dba04bd23f814afff9fa3f7b25a835d230f874ed

Download Submit
memory/2408-44-0x00000000006E0000-0x0000000000780000-memory.dmp

Filesize
640KB

Download
memory/2408-43-0x00000000006E0000-0x0000000000780000-memory.dmp

Filesize
640KB

Download
memory/2408-38-0x00000000006E0000-0x0000000000780000-memory.dmp

Filesize
640KB

Download
memory/4160-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4160-27-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4160-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4688-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4688-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4832-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4832-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads