urelas | 6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212

General

Target

6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe
Size

328KB
MD5

7646c1e5540b53630c342928851a28c0
SHA1

9b239e2e0d68cfe01f5e21d20f6d7d41bf41ef2e
SHA256

6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212
SHA512

95a237a843b8872cccbb10054d12e890dadd2d9d282986591626bc3be4eb5ede3e21dd2518c88891328ed99ac9fab1e22bc5659d4ccc142df84c91616059e1ba
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOj:vHW138/iXWlK885rKlGSekcj66cis

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	xuapl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe

Executes dropped EXE 2 IoCs

pid	Process
4800	xuapl.exe
4308	hatoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hatoc.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe
4308	hatoc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4800	3892	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	88
PID 3892 wrote to memory of 4800	3892	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	88
PID 3892 wrote to memory of 4800	3892	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	88
PID 3892 wrote to memory of 2292	3892	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	89
PID 3892 wrote to memory of 2292	3892	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	89
PID 3892 wrote to memory of 2292	3892	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	89
PID 4800 wrote to memory of 4308	4800	xuapl.exe	100
PID 4800 wrote to memory of 4308	4800	xuapl.exe	100
PID 4800 wrote to memory of 4308	4800	xuapl.exe	100

C:\Users\Admin\AppData\Local\Temp\6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe
"C:\Users\Admin\AppData\Local\Temp\6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\xuapl.exe
  "C:\Users\Admin\AppData\Local\Temp\xuapl.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\hatoc.exe
    "C:\Users\Admin\AppData\Local\Temp\hatoc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b3de8c3cbc5365cca538e677c4951db5

SHA1
088067f953683a8de15d76251021c4bea47a14b7

SHA256
6fdff3846b767e3e609cd86f595522b7be7c6477a55c482a83a8b8560e895bab

SHA512
7f8d66df21ac9fe781243a9d58f14a732cdb995aa2e1734e81fa018fbe9e374de6d56b473a3e4f67a14ccdefbd79c57fdd6292599346bcd70942e22fa667f0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ccf67515a20dd0f2525d3b59294b4abb

SHA1
bb56e60ae1855a536d2984ba3164be5efcd696c7

SHA256
0794c72956245b4141813cbc3b2647f63c6c6d5a26b9b2683b1ae52970c8b923

SHA512
c245627b06f9a3e51ee3cea0856a71698a2b0779088b599e6c5015d0f5bb1aba50a9b885abe5a0fb1f7e424dc45c5d817c6b334568bf2240c0495a20cd149bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hatoc.exe

Filesize
172KB

MD5
0d4f1df5d247397f185ca3a7b92dfb91

SHA1
ba97553b4c24cf8569436e75b966a8e94381327b

SHA256
d94b197f731b80ec1ae1b30843ed247c945c584df2203e0b402c68fbb805a483

SHA512
11c1075a3b7b56d9cbb0e550972ebbf7aa0e6d8e52c1b8be3df1c5c1e062a71578776c34190288381ea0a495f37bcf910cfd5210843b48df1f18345f8b44793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuapl.exe

Filesize
328KB

MD5
b3b0daed7aeb99dce725c71799127dd5

SHA1
c4f609f9a3cb0bb39ff6703c315cce42e295c4a7

SHA256
44fa2bab0ea07e2c0152f7c2f032aafeb885a3d4b92efbfb3485658d05936337

SHA512
b8e17e453263c8d5f4b58f73a859a057a7db7e45b6e2d23cc34fed843b9799037f6e1ba7492021e1f409eb3d9430370d67bda7d52468ffbbf4eeb9c4d6e376cd

Download Submit
memory/3892-0-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/3892-17-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/3892-1-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4308-47-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/4308-45-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/4308-46-0x0000000001370000-0x0000000001372000-memory.dmp

Filesize
8KB

Download
memory/4308-41-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/4308-38-0x0000000001370000-0x0000000001372000-memory.dmp

Filesize
8KB

Download
memory/4308-37-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/4800-14-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/4800-40-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/4800-20-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/4800-15-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing