urelas | a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482

General

Target

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Size

335KB
MD5

32b6decf1f8f55af9dc2a48997ebf910
SHA1

b19a9b5476ec7afa01a63083dea8961119652928
SHA256

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482
SHA512

d2a82fae0b0621190260475b39f2d040cee0c25f302f5a4f60c164accfdad26d07b8df1cf408588f93769a1b56d12aa167200ef9880795794dd6d669ba14dced
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exeqawos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	qawos.exe

Executes dropped EXE 2 IoCs

Processes:

qawos.exexezog.exe

pid process

1900 qawos.exe
2912 xezog.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1900	qawos.exe
2912	xezog.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xezog.exea50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exeqawos.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xezog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qawos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

xezog.exe

pid	process
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe
2912	xezog.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exeqawos.exe

description	pid	process	target process
PID 2760 wrote to memory of 1900	2760	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	qawos.exe
PID 2760 wrote to memory of 1900	2760	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	qawos.exe
PID 2760 wrote to memory of 1900	2760	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	qawos.exe
PID 2760 wrote to memory of 1516	2760	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	cmd.exe
PID 2760 wrote to memory of 1516	2760	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	cmd.exe
PID 2760 wrote to memory of 1516	2760	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	cmd.exe
PID 1900 wrote to memory of 2912	1900	qawos.exe	xezog.exe
PID 1900 wrote to memory of 2912	1900	qawos.exe	xezog.exe
PID 1900 wrote to memory of 2912	1900	qawos.exe	xezog.exe

C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
"C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\qawos.exe
  "C:\Users\Admin\AppData\Local\Temp\qawos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\xezog.exe
    "C:\Users\Admin\AppData\Local\Temp\xezog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9a048aa325b4689fdcfd1e04de51f69b

SHA1
5072d2a39083b15bceb55a02483f35eda0ad9150

SHA256
e99675057f0b5161be35b2ee5baf34c89f00962c77ab2307860014e46e890727

SHA512
5e66b9da190a61c7814fc2961f6135a15a53a975fb2fef3cd1957cbd9541c4b8acaf37bd0ef479e7be898813460692a02c4618d8de699a166365e11b15d3ac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d5e1b7054e3d41b403b4638f894cf53a

SHA1
1f22c593edc3875db1eaa125738e7eaefbb52c37

SHA256
50bcc84fc9e18d3577046eba6abc3dcfef36ff8eb2462e7347c6c8419d348cda

SHA512
87d30b48ac3fb5daf1cc24bd5a791e858a8331736a26ef1971e4a6f6e25c0f3fbec51de5c251f5ea7f73b9edc293c91151cbd9684bc4e41421a8dff3d469d5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qawos.exe

Filesize
335KB

MD5
da4d6246eb295973652d6e221572ba67

SHA1
104d067e949d1b0e099b38b140b2bf58a56238b5

SHA256
217bbd5397516ce084eb818ab881ade29e372be6f48a9aa632e53a1110a35cfc

SHA512
56f12ca93015a1ed44c5e860fb0a775df8664218e28d58c00aa70d828f50bcc12a267e8d00b46d344b589e1dcc73a85c9d3942662b94944f1050f70552f407b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xezog.exe

Filesize
172KB

MD5
f73798727197c4dcb4ef8a02e8dec579

SHA1
f5e32236aa96daa00ad48a9749e035cf0f755e2f

SHA256
1b8b028e83790fb3f612c9f382f230a24edaac190eac1820c5648b720bc7af88

SHA512
3c09c9109747e0a241be28d029b95eaddbdda5ae2d0abc3aedf5c567d9b5c0aab7fb0566f2420a0e7fab3fc95db3ddebf83fd3a35a6c03f0ab17ed68d574c273

Download Submit
memory/1900-20-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/1900-11-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/1900-14-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1900-39-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/2760-17-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/2760-0-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/2760-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2912-40-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2912-36-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2912-41-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2912-46-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2912-45-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2912-47-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads