urelas | ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996

General

Target

ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe
Size

501KB
MD5

0310c3acb1be722cb0b048edf61a5ce0
SHA1

8babab2d4ebd61b02dd6d5f924bfd8ffc0ea53e8
SHA256

ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996
SHA512

992c8a167f92703d713801f16fa663d4c09b7738daa2772c9022b313a2a59cdc78a6c280d1025fc939cd21bc94d7b1c6a442a62ca03d87511cbb49045cfe25da
SSDEEP

12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK5x:PMUv2LAv9AQ1p4dKP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	seruh.exe

Executes dropped EXE 2 IoCs

pid	Process
4992	seruh.exe
4716	yqavu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seruh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqavu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe
4716	yqavu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4992	4196	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	89
PID 4196 wrote to memory of 4992	4196	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	89
PID 4196 wrote to memory of 4992	4196	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	89
PID 4196 wrote to memory of 5024	4196	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	90
PID 4196 wrote to memory of 5024	4196	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	90
PID 4196 wrote to memory of 5024	4196	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	90
PID 4992 wrote to memory of 4716	4992	seruh.exe	109
PID 4992 wrote to memory of 4716	4992	seruh.exe	109
PID 4992 wrote to memory of 4716	4992	seruh.exe	109

C:\Users\Admin\AppData\Local\Temp\ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe
"C:\Users\Admin\AppData\Local\Temp\ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\seruh.exe
  "C:\Users\Admin\AppData\Local\Temp\seruh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\yqavu.exe
    "C:\Users\Admin\AppData\Local\Temp\yqavu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
459e67ab583254efa0f2fd6fcf68aaa2

SHA1
5c67094251985ca81dfd4c8f8d1bc149f031da5d

SHA256
930d7373de8162e8e3efb332b5f71d38b37bce6da2ea3af9dd064987413b7605

SHA512
cc453185a80307325388d2a335e96b8f22cd928b76b841c418190054667838951068508123449c508ec9cb6cdc81ba167f534ce1750539fc0a588b68d26faa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
30e944624ab2fd67fdae3fcbff3fc4a1

SHA1
1032a8004b7e7d36e9ca7b5e7e377d4bda864d0b

SHA256
3aa989c1d8b9b12aa61e0ef706d7c707eb844175f52caa6f35527221d0237757

SHA512
0c58afc7fbcf41a0da7f79b84e89af17596c29db0fef744e09f45a4e29595a976a731fbaca6b71e04ff9ec5fb437fbcd7ba63694493a612f8c0d30794cd96f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\seruh.exe

Filesize
501KB

MD5
6865d989dd94cb69d558aac1c85e13f5

SHA1
3a77473286348ea27d2bf628847f77b96ddaf52c

SHA256
6c02fd89cb3e6926613c779e3fdc67f02cf94cc4b9c1e73db3457428903f5580

SHA512
ce6af58c473f194d26afe54553fc6452e5b841b4cdce7574986d10aca081e1c25c100ffd51d3858d4311fd4cf20ef102845caecb1c337aea982cdb57c265169b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqavu.exe

Filesize
172KB

MD5
12813d22647686c226139478a74b1a9c

SHA1
8f65368a8d1a02c5d59ba54d038e64d924ac8d27

SHA256
a5ca333e9a1d9294f4cf422dfb4a142a6cb87383ab82499b6556db639a8cb5a0

SHA512
e59348b7dfb194d75913d4d92def565055c5d3f9cc4c02ba9af716f51a96c6413c60bb31d708ce1e77a6653709f195ff1704cf7ffd30abec1f496aa7ceeb5fc2

Download Submit
memory/4196-0-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/4196-14-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/4716-27-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/4716-26-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/4716-28-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/4716-34-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/4716-33-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/4716-35-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/4992-17-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/4992-10-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/4992-31-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing