urelas | 083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0e

General

Target

083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
Size

535KB
MD5

a9a26bab1a8605aadb5e6cc177df9300
SHA1

90256a8a70cb8b4d48bce16e9ccd93349f206d8f
SHA256

083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0e
SHA512

614485e8750052eefe509971fa2e0b9a426c88b231d1322fe84048fb211148282f713d83e6edc140ef25cd69f8b88c692c72ed7ab463d2a19726b470f3fc63b8
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPK:q0P/k4lb2wKatK

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	uzcob.exe

Executes dropped EXE 2 IoCs

pid	Process
4692	uzcob.exe
5060	vokub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzcob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vokub.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe
5060	vokub.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4692	4888	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	87
PID 4888 wrote to memory of 4692	4888	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	87
PID 4888 wrote to memory of 4692	4888	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	87
PID 4888 wrote to memory of 3628	4888	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	88
PID 4888 wrote to memory of 3628	4888	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	88
PID 4888 wrote to memory of 3628	4888	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	88
PID 4692 wrote to memory of 5060	4692	uzcob.exe	107
PID 4692 wrote to memory of 5060	4692	uzcob.exe	107
PID 4692 wrote to memory of 5060	4692	uzcob.exe	107

C:\Users\Admin\AppData\Local\Temp\083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
"C:\Users\Admin\AppData\Local\Temp\083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\uzcob.exe
  "C:\Users\Admin\AppData\Local\Temp\uzcob.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\vokub.exe
    "C:\Users\Admin\AppData\Local\Temp\vokub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e225c057d30eada45a10d1267c39f94a

SHA1
b63bfbde9a619357cff7bb27b16622c32e6f4981

SHA256
81c1b3dc48af46abf39174c16d338a87f249345362d9253324c54eba2ea4515d

SHA512
8b51a227341a8ab5e5756acbdb1214dbcced44d906bed0f1256784ab2c7e6362a8b850437f4e7b202ffda6f549afa7c29b11aa8019e30935756f074bcf849366

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ac6216929c52754cf34f5fe6c01ee82f

SHA1
ebf5aa80b57044f61837265a9f9c7da21da922d0

SHA256
cf84c4b060bb4634e69b43aa4418d04cc5cda55bd1e1e79375890b26f51969d5

SHA512
3b19eac822df613719aadd203a0ada5f614ecc39c6b72a8c42aa5c015a760f01c8790e04de00cb6333718c94ce5bfbd498c7336460b108231e906c4d25b75c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzcob.exe

Filesize
535KB

MD5
bd4fa71e9a183ee15349bce949431a05

SHA1
df3e936eb603c931f1babd7e845ec503e931307d

SHA256
db0092c481081de0e52443d27609cada5cd5552e8afb52182debe6b1cbf8c837

SHA512
ca63241b9646c5deb0c6d3f239d44be86387c97a501db79dba407453b5cb55d43fa6bd2873cda96971f9559b31608c491b531fc23898931cf7ffb6019f6d049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vokub.exe

Filesize
236KB

MD5
b756b5c99e0ded93b3fc67bc884af280

SHA1
c646c43c327b8e42290b639bb8db63db30b758f0

SHA256
89cf979b586215eaf08944c265b8b909d758e77107d0de9e84784ae003b3bc37

SHA512
fa8a70ddc73110063a92248000aa07762b7e643fd5d51a488a1cf65576dccf29c67c5b512d684bf07a8955c53ae85c2720cdd1b5c5b24cf49878cc42f1c31343

Download Submit
memory/4692-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4692-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4692-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4888-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4888-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5060-27-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/5060-26-0x00000000009C0000-0x0000000000A63000-memory.dmp

Filesize
652KB

Download
memory/5060-30-0x00000000009C0000-0x0000000000A63000-memory.dmp

Filesize
652KB

Download
memory/5060-31-0x00000000009C0000-0x0000000000A63000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing