urelas | b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1

General

Target

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Size

332KB
MD5

1024d773fc47520c1454b600cdfee860
SHA1

7cb1ce05b8c60995daa64416b925426f139ea134
SHA256

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1
SHA512

60a3f88d1c6403e58d391bbb9534b06aa5c928b1fea3d62b39927dda85f4186b59b6b3ee709bcc8339ba2309a969fe3ecd281e43877068069c5f5391704e6a7c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	qekoz.exe

Executes dropped EXE 2 IoCs

pid	Process
2316	qekoz.exe
2140	cipoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qekoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipoj.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe
2140	cipoj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 2316	3572	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	89
PID 3572 wrote to memory of 2316	3572	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	89
PID 3572 wrote to memory of 2316	3572	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	89
PID 3572 wrote to memory of 2788	3572	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	90
PID 3572 wrote to memory of 2788	3572	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	90
PID 3572 wrote to memory of 2788	3572	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	90
PID 2316 wrote to memory of 2140	2316	qekoz.exe	107
PID 2316 wrote to memory of 2140	2316	qekoz.exe	107
PID 2316 wrote to memory of 2140	2316	qekoz.exe	107

C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
"C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Local\Temp\qekoz.exe
  "C:\Users\Admin\AppData\Local\Temp\qekoz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\cipoj.exe
    "C:\Users\Admin\AppData\Local\Temp\cipoj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
04a7bfa8eb94ca946e1a890cc85ebfa6

SHA1
f9cd3e2f86e97ac420219e2fba3787684910607f

SHA256
a25689378fb74347ddc425110ed6f13f5a10787ba1913001946839a8953a972d

SHA512
b7fda068921b8ceebc1a74afd9a5e1ca9e3fbc60b9054c92afe9fa88293561894ef67f8e7cbe8abbe86bcef98350a803b9450eb6cf051b57433a4d4b6b67bc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cipoj.exe

Filesize
172KB

MD5
af3aed7b406c629fd4475ef711459e75

SHA1
f5909aa25e75653f9c3d72e7ad7712180c3bf097

SHA256
9710a9b158e1c27ceb14756c2facf01f1961f7875274e92fc56e7cc3494d435b

SHA512
c3514328819572c4ddb6d88ac56a3473300c056efeda87d07df564487404bfce6ce5ec466b3948e1b39ff90ecea865af4d41a23983239c8039cf1c7b31b74634

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1f825bd1d2f8366713c2ba72083579ff

SHA1
b86a4edc26bdf897e4e340ebe8ecf49c53a799bd

SHA256
a055b21159d71a37a91ad912fb07f66c54b3736c38670f89a7c4014cd49ae919

SHA512
dfd2a18b239a39593de0c922c8857326c4741f76bf9413f8c6da60dd62892d8e3accc4d01ddf72ee95aa61290924bbb70f8d28d28b06e3fec94cc55649c97e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\qekoz.exe

Filesize
332KB

MD5
5c5699e30b30714c0f0b74a5468a0cfc

SHA1
42a06b17b2ce1bddc4615c1491a3d7a7b1c5c973

SHA256
34edefd125e6ebb3e642c98edcf97184ea467d01722f615bcc90e31aea09a3bf

SHA512
dc6546360ae59d3d31e10327873489700c38b93f5ccff21048a3e973a5a7e6b4d1250e5c2325016bd6074e51fd96ee601c24c48f8d5b860c7f58a2d05025f0f9

Download Submit
memory/2140-38-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/2140-47-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/2140-45-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/2140-46-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/2140-37-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/2140-39-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/2316-20-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2316-43-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2316-14-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2316-11-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/3572-0-0x0000000000420000-0x00000000004A1000-memory.dmp

Filesize
516KB

Download
memory/3572-17-0x0000000000420000-0x00000000004A1000-memory.dmp

Filesize
516KB

Download
memory/3572-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing