urelas | bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4

General

Target

bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
Size

332KB
MD5

140484087100d4c593cb84d26dbb4e20
SHA1

c7d047144a44471dd3bb873f564b1f37ee052d06
SHA256

bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4
SHA512

5bb2e15ba83688ade752563a2225d24518ab41ff909773aef6bafab3a07b8b0e4d346bf7fb2526398e19f12b4741cc913a2125532b123790a107dd2172bd6fa8
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYrg:vHW138/iXWlK885rKlGSekcj66ciV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	erwei.exe

Executes dropped EXE 2 IoCs

pid	Process
956	erwei.exe
3392	vuetd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuetd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erwei.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe
3392	vuetd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 956	1016	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	87
PID 1016 wrote to memory of 956	1016	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	87
PID 1016 wrote to memory of 956	1016	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	87
PID 1016 wrote to memory of 2304	1016	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	88
PID 1016 wrote to memory of 2304	1016	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	88
PID 1016 wrote to memory of 2304	1016	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	88
PID 956 wrote to memory of 3392	956	erwei.exe	99
PID 956 wrote to memory of 3392	956	erwei.exe	99
PID 956 wrote to memory of 3392	956	erwei.exe	99

C:\Users\Admin\AppData\Local\Temp\bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
"C:\Users\Admin\AppData\Local\Temp\bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\erwei.exe
  "C:\Users\Admin\AppData\Local\Temp\erwei.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\vuetd.exe
    "C:\Users\Admin\AppData\Local\Temp\vuetd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
cf3d053f45f99832089fee10c2b87d0a

SHA1
fc9a94741e636ac7093504633a6e918e0f8bf55c

SHA256
0d130547fba1add262bb8556cc37e81b23a4405ac20b3b09f19d56ea3a3d8c51

SHA512
413d19c8f56fc9b8273120fce6993c2e559dac8a20750dd485ff2a07f37e5970b5fdff4325601e272ef3e3e9c8cfa2ee65801269cea0c37f93f150fb499eb870

Download Submit
C:\Users\Admin\AppData\Local\Temp\erwei.exe

Filesize
332KB

MD5
2ec56000ed3a1eeab2f8bc20c7bee1e8

SHA1
cb86ac75233e1d72dd77328ee2ed713bdb97ca38

SHA256
9effa87101b36b5b112510ba5161e9b79b3100cec1229fb6f0c6de161752d54b

SHA512
68f75b891baaaef7b99b96220e6174f454104ef4c62844ae7320c5f61eabba5ec05039bd62aea9b67c392fb95b96154b5853c8d4719a38b0b8b9e17b177d9d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b2dd333c6bf5057cbb679e1f41011efa

SHA1
ea63c31dfddaeb6ea663676f30e819d643099649

SHA256
2192c996b4db16d88bc1ba9b4bdb01b7b44adabbe7ec4027751a2c7215e25f95

SHA512
de40202d54c6467738c2d9f3e2b62954291ee3098a85c5da1a3fa34f4262742edb428117e2b2be4c50378ac5000bd3dfc155fdaee5f1d5d5d24dbb4a158ada81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuetd.exe

Filesize
172KB

MD5
8a53fdb452ca2105edb653151a75cc1e

SHA1
29daeca89dbffc302a133d2858420928117de182

SHA256
430be8c01aae857c095dae042a3c10958b2ba583239005fe2d6e52ed5880a40f

SHA512
a9dec5cbf8a3cd226e313e431ab6b0acbd328548dfe23549f927f983bf39a733c0c2d997f3602a66a077dbb6f795e8e285e22fd7f440e9b89f857e441bc0e4fc

Download Submit
memory/956-20-0x00000000001B0000-0x0000000000231000-memory.dmp

Filesize
516KB

Download
memory/956-14-0x00000000001B0000-0x0000000000231000-memory.dmp

Filesize
516KB

Download
memory/956-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/956-40-0x00000000001B0000-0x0000000000231000-memory.dmp

Filesize
516KB

Download
memory/1016-17-0x0000000000580000-0x0000000000601000-memory.dmp

Filesize
516KB

Download
memory/1016-0-0x0000000000580000-0x0000000000601000-memory.dmp

Filesize
516KB

Download
memory/1016-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3392-38-0x0000000000970000-0x0000000000972000-memory.dmp

Filesize
8KB

Download
memory/3392-37-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/3392-41-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/3392-46-0x0000000000970000-0x0000000000972000-memory.dmp

Filesize
8KB

Download
memory/3392-45-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/3392-47-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing