urelas | c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3

General

Target

c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe
Size

331KB
MD5

d857dcb02e63d55691b2cd19e6811940
SHA1

0115ff05d364bf6f6e2c84ac924684627054fb56
SHA256

c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3
SHA512

73fba4b32473c5983b51861f499b6fbb395e73fcdaa0833281524be27e79b7c922c94781bcdb2d218254b1b3d12975d01719320dbbefe5b75a9536bc8cf51d09
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66ciT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	zidiw.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	zidiw.exe
1124	oqivf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zidiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oqivf.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe
1124	oqivf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2260	2836	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe	89
PID 2836 wrote to memory of 2260	2836	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe	89
PID 2836 wrote to memory of 2260	2836	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe	89
PID 2836 wrote to memory of 3960	2836	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe	90
PID 2836 wrote to memory of 3960	2836	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe	90
PID 2836 wrote to memory of 3960	2836	c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe	90
PID 2260 wrote to memory of 1124	2260	zidiw.exe	106
PID 2260 wrote to memory of 1124	2260	zidiw.exe	106
PID 2260 wrote to memory of 1124	2260	zidiw.exe	106

C:\Users\Admin\AppData\Local\Temp\c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe
"C:\Users\Admin\AppData\Local\Temp\c29edb7ee4b52c49705d65f990b12d56db8e5e5bbbd7afd222af5efdf412c9d3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\zidiw.exe
  "C:\Users\Admin\AppData\Local\Temp\zidiw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\oqivf.exe
    "C:\Users\Admin\AppData\Local\Temp\oqivf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0fe03ca2c0c461a104985600019f1be7

SHA1
67f030052a33fa7e146d3fcabf4d1c79bf644067

SHA256
467944e068bcd59a7e4e81c83d6d3497edd689fb5b3ba243967e17879d93cd0c

SHA512
ba6049d854cc7bfe25ea198d4f8905f7aa0baa5142131efd09f1ae60f4e17f16f38074d5248e2ded958f07aca11c2ce46003df7a662a8947c0aefe2a88abdfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b819bd5aa16aee851b940c3b615c6485

SHA1
e536591658e5910317021fb36617c6e96104d13d

SHA256
8bf899217a3829574603eaa7887102c0b422278c426f2f3c68a7f7ae4abdb2dd

SHA512
724905ad4a44909d6b512a974a48b842a3573f186f6c99afb55be314125eb8ed7dbdab604d475a2a553a491d13ba144b39d0617fd33b183c1abe4f40190168f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqivf.exe

Filesize
172KB

MD5
4c34db5dfe855f44846b11c4bae27864

SHA1
f3b87fdf392b3b39fac2a4189686a55c05bcfe41

SHA256
7debbe8a15ed00b033bf6f2e74e6ef30a15adcba84d28571bbeb3804c15a6d65

SHA512
f26c3e502f1be78faeef1a8b3e4656530e5805855963b3b950ab2211e9546a4c7c4a209a7cc424db96b78b953b7cddd2cce6b83a7fccaa3c77d26177934088b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zidiw.exe

Filesize
331KB

MD5
3ddcd504182bf74d21aaac53a31a336a

SHA1
937d94a596f98dcbd77db150310bb1ff960cd9a3

SHA256
6d06738385b27ec7331aa4ee1b756d8bbf560cb2fd515d0c45911c1d1dcdb942

SHA512
706c8094a722fc584d619baf02ef3d1c80b8f4e2150e19e166fa8d9af08c302fad3a5801b1a5a3e2d7a0bf4fc5faa39e95aba27627267c1498b6336a4836afc5

Download Submit
memory/1124-37-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1124-47-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1124-46-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/1124-45-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1124-41-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1124-40-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/2260-14-0x0000000000780000-0x0000000000801000-memory.dmp

Filesize
516KB

Download
memory/2260-39-0x0000000000780000-0x0000000000801000-memory.dmp

Filesize
516KB

Download
memory/2260-20-0x0000000000780000-0x0000000000801000-memory.dmp

Filesize
516KB

Download
memory/2260-13-0x0000000000780000-0x0000000000801000-memory.dmp

Filesize
516KB

Download
memory/2836-0-0x0000000000D00000-0x0000000000D81000-memory.dmp

Filesize
516KB

Download
memory/2836-17-0x0000000000D00000-0x0000000000D81000-memory.dmp

Filesize
516KB

Download
memory/2836-1-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing