urelas | 9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4

General

Target

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
Size

454KB
MD5

c78e49bc32b6fcfa5772254f2a503170
SHA1

d77a6a35c674d9497ef937b3aab56611f54d63eb
SHA256

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4
SHA512

7d2cdba0e0c7ab379c304fe1b3a088dd400d07982a1538281deb7cc7a8c25b76b257d45bdd7a53a7425a05cb0d653cdd31fc363d20cdbe8e358d0abfd3467f08
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTnm:CMpASIcWYx2U6hAJQnZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

luazyw.exe9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exeguhot.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	luazyw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	guhot.exe

Executes dropped EXE 3 IoCs

Processes:

guhot.exeluazyw.exeaqkom.exe

pid	Process
4512	guhot.exe
2468	luazyw.exe
3592	aqkom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aqkom.execmd.exe9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exeguhot.execmd.exeluazyw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqkom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guhot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luazyw.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

aqkom.exe

pid	Process
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe
3592	aqkom.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exeguhot.exeluazyw.exe

description	pid	Process	procid_target
PID 2480 wrote to memory of 4512	2480	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	84
PID 2480 wrote to memory of 4512	2480	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	84
PID 2480 wrote to memory of 4512	2480	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	84
PID 2480 wrote to memory of 964	2480	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	85
PID 2480 wrote to memory of 964	2480	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	85
PID 2480 wrote to memory of 964	2480	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	85
PID 4512 wrote to memory of 2468	4512	guhot.exe	87
PID 4512 wrote to memory of 2468	4512	guhot.exe	87
PID 4512 wrote to memory of 2468	4512	guhot.exe	87
PID 2468 wrote to memory of 3592	2468	luazyw.exe	106
PID 2468 wrote to memory of 3592	2468	luazyw.exe	106
PID 2468 wrote to memory of 3592	2468	luazyw.exe	106
PID 2468 wrote to memory of 4868	2468	luazyw.exe	107
PID 2468 wrote to memory of 4868	2468	luazyw.exe	107
PID 2468 wrote to memory of 4868	2468	luazyw.exe	107

C:\Users\Admin\AppData\Local\Temp\9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
"C:\Users\Admin\AppData\Local\Temp\9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\guhot.exe
  "C:\Users\Admin\AppData\Local\Temp\guhot.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\luazyw.exe
    "C:\Users\Admin\AppData\Local\Temp\luazyw.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\aqkom.exe
      "C:\Users\Admin\AppData\Local\Temp\aqkom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
1285d25c51198dbf5615465767f5fe39

SHA1
a3d34fb1e7254fd99f62475f44a3d292da5376f1

SHA256
30d0b13609732fa5fa0a8c1df7fb304af36ae169a699c212d341f8182698e9cc

SHA512
28b8ebaceb0cf742da67cf7a567353905dc3cf2e124bc0dc0739b8dbb5c4c88151a98c388e2328fbc02828f1687d6b2ffbc18ce09847dc2da29aea590ad78fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
823bc86b6a84c45b9ac27172b1244718

SHA1
2d889fc2369e27a0ab0fa05355904892fa88ef49

SHA256
5ca5e52172ffd94ccb39ec2197d2be8f250006a719a69e64241419db4bb73894

SHA512
06f1f090b4713f7c703bc7dc698bfed434ce9293ef9508aa10449dd9bc5bc008f78eb09faccb26578c51abbd69da114b7bea8b0895006efd6a5878b3b50dc94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqkom.exe

Filesize
223KB

MD5
04cce8df07de9ab004754996813bd91a

SHA1
00b2d8dcf19c837f3ee8af49f050ceae3d593275

SHA256
c1dd81eebbfd61e2419ef6ea6cfa5845687f5e049cb3931d8856a8a7c03f11a0

SHA512
6244d221a018ebfb6d938d144c86fb3e59b13633fe302d7b620a9b5472cb2bf075a31dcba6f95981c873022d31beaec3ce490649f12c35968c8ba8270af0af80

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eb34e224c1f16ab0316cc1d94e015e1a

SHA1
cce590fc903e885ec5ac186cebc3cd66f539836c

SHA256
ad4d569b5d9d3c9d385734061eb53542431a223f44016e8586aaa9714266e42d

SHA512
90d30024cd9e149c7ad6c355f26ede13605c0f108a235d51a839f3e5e9f241a6276bf528622060b8ce388c3d9bd2cac46bdf140eae29a9204ed4cbd25504759a

Download Submit
C:\Users\Admin\AppData\Local\Temp\guhot.exe

Filesize
454KB

MD5
2dc50565fa15c21cd8dbf6f77ac638dd

SHA1
ec23993aa113901e1c4380f6998baadd9679d03a

SHA256
02c84dad4d5537037ec4d0680c828d88c98d65789327711a07e46a330ed20578

SHA512
8b6d3154a94250f599f358b60589cbe5a0405ad5c3afb1439ac24db7857a018bfd36018a00b43eebf310fd34062477a3f44311e4df238ee1d0e730a79d127489

Download Submit
C:\Users\Admin\AppData\Local\Temp\luazyw.exe

Filesize
454KB

MD5
c003e030b3d2991bc59cff44fa2c959c

SHA1
61a294cc5e8633c72a3e95ebb13b0d4e478d372c

SHA256
3e813971b30023f0c16347b9829cf4d08423608524f410bb1467e2bbc7c2c14c

SHA512
1aa8a4ff2839fb00cd398d3690a725e5701a9ac92388b560421626a8fed5f5d2985cf20a7430753961994a3cd179c242d527de4b25bce2497c9e0b38583cad20

Download Submit
memory/2468-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2468-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2480-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2480-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3592-37-0x00000000009D0000-0x0000000000A70000-memory.dmp

Filesize
640KB

Download
memory/3592-42-0x00000000009D0000-0x0000000000A70000-memory.dmp

Filesize
640KB

Download
memory/3592-43-0x00000000009D0000-0x0000000000A70000-memory.dmp

Filesize
640KB

Download
memory/4512-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4512-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads