urelas | 4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06

General

Target

4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
Size

332KB
MD5

0245c187c3e8aadc222e614423e615d0
SHA1

3a50a9991861ef8dc121fbec4f0bb8667144dd2c
SHA256

4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06
SHA512

60d37fa1e4cf1e6c63e854d328f0d4cf30a01edb9a622c1944320d17080fc05e4ad5c176589038fd8e02ad44fb8df3a060dc4e750c6ab9c9fe87fa5e5ddd110b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVJ:vHW138/iXWlK885rKlGSekcj66ciEJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	polae.exe

Executes dropped EXE 2 IoCs

pid	Process
4396	polae.exe
440	unzet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	polae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzet.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe
440	unzet.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4396	3520	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	86
PID 3520 wrote to memory of 4396	3520	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	86
PID 3520 wrote to memory of 4396	3520	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	86
PID 3520 wrote to memory of 3016	3520	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	87
PID 3520 wrote to memory of 3016	3520	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	87
PID 3520 wrote to memory of 3016	3520	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	87
PID 4396 wrote to memory of 440	4396	polae.exe	106
PID 4396 wrote to memory of 440	4396	polae.exe	106
PID 4396 wrote to memory of 440	4396	polae.exe	106

C:\Users\Admin\AppData\Local\Temp\4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
"C:\Users\Admin\AppData\Local\Temp\4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\polae.exe
  "C:\Users\Admin\AppData\Local\Temp\polae.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\unzet.exe
    "C:\Users\Admin\AppData\Local\Temp\unzet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
35418fff5a9b2d0ece4ab4764a1a49df

SHA1
06f9e4589f21a60a69b4a7301fc4feca2ba4cf94

SHA256
caf07023dafeb35d10556078234a2e81c2d5dac09f456f6ea12cea9102d3f3f6

SHA512
6cc2a57c4591bfea9803aa231734c869c8677d41d26fbff1495a2822a96c518b01873f59b5d23bb7f2dff4f5ff8be8dd6b1d5fe4b825a82371e80d165e1bc1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cbc6315ec7eaa644e642b4d3b17d6932

SHA1
87254db8a69e3d76b313c97d87504f0d7a8bc060

SHA256
1085970ecdb50b700ec5c0d0eb513ebf7c6048e3ead52b721639ac6970d74117

SHA512
2f6b2376391ebc9400fd64331529d7990d1f5edacd9bdba26fe5039e19f8366123464ade1b973431a5d55eba7b68958101d4384da136045626e47b1a3e951307

Download Submit
C:\Users\Admin\AppData\Local\Temp\polae.exe

Filesize
332KB

MD5
2f8a24691a30807f2449cb9afbde04dc

SHA1
82534e92f0d2e578cdbdfd0bedb52c7c271c674f

SHA256
303e25b815409c41550be06dbd6e9edf0eee26615466db6c871bffad6052ddaf

SHA512
b37a9227662288902c3a2a81c78cde85dd4fe5e4e95eaafcbc06d3764654f98a1005a720be4a2b8bc289d6da00483434341a5a7481a4ca7f7a0368e1f654404f

Download Submit
C:\Users\Admin\AppData\Local\Temp\unzet.exe

Filesize
172KB

MD5
4b042afb1811a23cf5d2ac19d2a8a629

SHA1
3b66adbabd00ca114cd65977846f83f001852721

SHA256
172085ad1fef94c344bf7582a0858b10675bfad690d18602e0f849f7315fc6d6

SHA512
59bd0e211276beb01a33d75e48da81a54d39102490d173e6af2c98a566d5a35c6b735b5c6dd8b74b366af4b6476aeaca0aac1f0c6857f924d35da20d760ea393

Download Submit
memory/440-47-0x0000000000C80000-0x0000000000D19000-memory.dmp

Filesize
612KB

Download
memory/440-41-0x0000000000C80000-0x0000000000D19000-memory.dmp

Filesize
612KB

Download
memory/440-45-0x0000000000C80000-0x0000000000D19000-memory.dmp

Filesize
612KB

Download
memory/440-46-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/440-37-0x0000000000C80000-0x0000000000D19000-memory.dmp

Filesize
612KB

Download
memory/440-38-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/3520-16-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/3520-0-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/3520-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/4396-14-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4396-40-0x0000000000C70000-0x0000000000CF1000-memory.dmp

Filesize
516KB

Download
memory/4396-20-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4396-19-0x0000000000C70000-0x0000000000CF1000-memory.dmp

Filesize
516KB

Download
memory/4396-11-0x0000000000C70000-0x0000000000CF1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing