urelas | f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499

General

Target

f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe
Size

333KB
MD5

1e89de63483e202150fa11815df5ee70
SHA1

8350fcd929ed6949b8c348bcb908898ee98ff02d
SHA256

f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499
SHA512

00d2483362ab7b7f30fc4317d15df565256b05098807304189807cead37ca0848ace424a0026746b7140850e1698b4c314b15ede39c50f8fe9d32cc76f81aad3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9m:vHW138/iXWlK885rKlGSekcj66ciWm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	nasyy.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	nasyy.exe
1672	dujox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nasyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dujox.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe
1672	dujox.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2308	4368	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe	87
PID 4368 wrote to memory of 2308	4368	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe	87
PID 4368 wrote to memory of 2308	4368	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe	87
PID 4368 wrote to memory of 2704	4368	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe	88
PID 4368 wrote to memory of 2704	4368	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe	88
PID 4368 wrote to memory of 2704	4368	f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe	88
PID 2308 wrote to memory of 1672	2308	nasyy.exe	106
PID 2308 wrote to memory of 1672	2308	nasyy.exe	106
PID 2308 wrote to memory of 1672	2308	nasyy.exe	106

C:\Users\Admin\AppData\Local\Temp\f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe
"C:\Users\Admin\AppData\Local\Temp\f5c7e36356722df46ad34b667a8fe494696b26e079250a65bd95e2b9a05ca499N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\nasyy.exe
  "C:\Users\Admin\AppData\Local\Temp\nasyy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\dujox.exe
    "C:\Users\Admin\AppData\Local\Temp\dujox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
19611cace27bf37a203fa7f0a76afde4

SHA1
8be971495ab5ba56f3730b5591ce0dc7b520a4c4

SHA256
8c8204eeed9b1f3b3c5224601fed3bd4e71513ffe3ae8ae97082cba2812dddcb

SHA512
6bc688925e9cd450dde06f1f72c97c3267f3b74f2bdf20b3b7b764f4fa9a8fe779fdd9e3f3ae95c6e11506198475718d773da4d895ee5baab27ec0f1e1372f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\dujox.exe

Filesize
172KB

MD5
c024b36984fbafd7d6014569cae4c5d2

SHA1
8894e50d87e29fa31cabd90b3aa0d0866ed0fb89

SHA256
399666505422740a4dd1a08c9939fcfc60755cbb8dc5867dcd1ecd7583e8ad2b

SHA512
de16e145a81ae1791c7aa1d8d939cafd0f8bc26a7d58178a2ad8e3f8506cafae9bd7ecc1d25c2dbd2f9943e6ef1860cfa9ecdd590cc98397ab85a8b66387f63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2090e9d57c48a8c61db530892f306e18

SHA1
37abca4626df84b541fd02af4fb24d91cca9c3af

SHA256
e00238cd9d0758a3d8effa5843328d130e5642096c47fcaa3b621635e45f4b10

SHA512
e81fee6cf6509a6ec2d49718fe74c6250fc80d101ae10fc00b90c3effe725158959820affcab5dfd6033a6eecc335915cfdbcfb82ffcd9f6d9f4561628c94901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nasyy.exe

Filesize
333KB

MD5
20afe22383d6c6c8447a78e051e7a353

SHA1
ad6279f86ec3762aed86a6dd96b0a49a490937f0

SHA256
8af0e84a69de91f203fda2dc7929f2b836298e5aedd565091986187de89b5c50

SHA512
a743c476073240f74a9a612555e5739e78627e7bc3847e42bd6f38df6b14eadd8012f635b488cb41d1da2b8e21bd7da262b8e61e14ebabc6ac5773b23b13ae0d

Download Submit
memory/1672-47-0x0000000000BC0000-0x0000000000C59000-memory.dmp

Filesize
612KB

Download
memory/1672-45-0x0000000000BC0000-0x0000000000C59000-memory.dmp

Filesize
612KB

Download
memory/1672-46-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/1672-41-0x0000000000BC0000-0x0000000000C59000-memory.dmp

Filesize
612KB

Download
memory/1672-37-0x0000000000BC0000-0x0000000000C59000-memory.dmp

Filesize
612KB

Download
memory/1672-38-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/2308-14-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2308-20-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2308-19-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download
memory/2308-40-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download
memory/2308-11-0x0000000000DE0000-0x0000000000E61000-memory.dmp

Filesize
516KB

Download
memory/4368-16-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/4368-0-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/4368-1-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing