urelas | b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc

General

Target

b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
Size

332KB
MD5

54225c6e3dee406c2abb7fb9b15fb451
SHA1

ed975009087724d5b4b3c1938cdda16ca15bcd9f
SHA256

b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc
SHA512

b3a129de8f26b79b472123614cada054fac25c7afc89fb70225721ae139b109f98f6cd714ba4b2645288aab3b751b6c53fed70fda1c87622a16bcb1310153d1d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVK:vHW138/iXWlK885rKlGSekcj66ciEK

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	qulyy.exe

Executes dropped EXE 2 IoCs

pid	Process
3208	qulyy.exe
2876	owbon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qulyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	owbon.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe
2876	owbon.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 3208	3360	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	87
PID 3360 wrote to memory of 3208	3360	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	87
PID 3360 wrote to memory of 3208	3360	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	87
PID 3360 wrote to memory of 1472	3360	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	88
PID 3360 wrote to memory of 1472	3360	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	88
PID 3360 wrote to memory of 1472	3360	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	88
PID 3208 wrote to memory of 2876	3208	qulyy.exe	99
PID 3208 wrote to memory of 2876	3208	qulyy.exe	99
PID 3208 wrote to memory of 2876	3208	qulyy.exe	99

C:\Users\Admin\AppData\Local\Temp\b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
"C:\Users\Admin\AppData\Local\Temp\b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Users\Admin\AppData\Local\Temp\qulyy.exe
  "C:\Users\Admin\AppData\Local\Temp\qulyy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\owbon.exe
    "C:\Users\Admin\AppData\Local\Temp\owbon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1e4e0669b69a2758ecb8afb86d50cadc

SHA1
671718f937486e37afede9fe37561f17fa33c714

SHA256
a35c3a6f5e9985e5271ec51c3a7f8c15143a64cc8cbcee233af439b237ee4064

SHA512
75afed713535483abc935a621a27e0c8b2fcf9aedf502bbf5158e3c13e5aec57366ce6df019b421d19bbc5facf42ab2292489fdf90a869459f5c9b53ff831b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
712a6f19863d49358c8a6c32db6ee5ab

SHA1
8c5daf82a7776b6c6e8c88e88a9803d3212920e3

SHA256
830fa6b6b684c40de9e2a30ef2b0c12f656e750fd1e8c96cc16c3484ef1e99db

SHA512
c4e967550c62a0fabd084094d6917761f8874251c3595d013fb12edd79237e31ee2a6e7c31c454754a47c8ea30114a851e89b1715b268f3647c9db1d3d90526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbon.exe

Filesize
172KB

MD5
e17f910a0f56ed280be8fe30d9363847

SHA1
da7029f765bd6f1e8284d17e07a7ae0ee4781eaa

SHA256
fb39bd8de3e1bb3826ce2517b26ec40e1a6006b49cc5c30a803d177518cfc668

SHA512
1f5af490064a78132f56cccde7ca84fbae2a030034e50ed7edc645f7230b0ce5e8fe813bdbebb26aebf960138bb1f7596d7ef0da55f13084809824015e3ab7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qulyy.exe

Filesize
332KB

MD5
0bcb4b49b0c6aaa3f3dec66cb19cd707

SHA1
e859a6416c8c90c5eb74c229bd0f9a54fa65a734

SHA256
dbfada2fd52f194c653c45e05de69f5093aaf9b857f419d4a7e337fc222ce1ff

SHA512
f1d4741413ffd2d47977c29acba04274875104d9250e4fd77d5eb7d8a8f135debe8730429bfb5119d2ef892b31038c8e72e2b02ae1306aee3b9fabb0ed94ae63

Download Submit
memory/2876-45-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2876-44-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2876-39-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2876-42-0x0000000000CF0000-0x0000000000CF2000-memory.dmp

Filesize
8KB

Download
memory/2876-36-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/3208-13-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/3208-19-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/3208-38-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/3208-10-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/3360-16-0x0000000000600000-0x0000000000681000-memory.dmp

Filesize
516KB

Download
memory/3360-0-0x0000000000600000-0x0000000000681000-memory.dmp

Filesize
516KB

Download
memory/3360-1-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing