urelas | 74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113b

General

Target

74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe
Size

332KB
MD5

6680e3224b07e9b3011dc9e0243334d0
SHA1

2ecac4e463467e73b00af49f77ef6b70df8e67c9
SHA256

74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113b
SHA512

2c99d4a86e8fb04b9f1b440556a38fba5f2aefd4b64ac194fd04bdc3686fb4199f05a8018e4ab983fdcbeeda2b7b5a7a63115e74074dfa73033b0698cd6e2f65
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVU:vHW138/iXWlK885rKlGSekcj66ciEVU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exesofaj.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	sofaj.exe

Executes dropped EXE 2 IoCs

Processes:

sofaj.execevij.exe

pid	Process
3488	sofaj.exe
3776	cevij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cevij.exe74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exesofaj.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cevij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sofaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

cevij.exe

pid	Process
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe
3776	cevij.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exesofaj.exe

description	pid	Process	procid_target
PID 376 wrote to memory of 3488	376	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe	86
PID 376 wrote to memory of 3488	376	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe	86
PID 376 wrote to memory of 3488	376	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe	86
PID 376 wrote to memory of 2312	376	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe	87
PID 376 wrote to memory of 2312	376	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe	87
PID 376 wrote to memory of 2312	376	74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe	87
PID 3488 wrote to memory of 3776	3488	sofaj.exe	98
PID 3488 wrote to memory of 3776	3488	sofaj.exe	98
PID 3488 wrote to memory of 3776	3488	sofaj.exe	98

C:\Users\Admin\AppData\Local\Temp\74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe
"C:\Users\Admin\AppData\Local\Temp\74f96a6b959c4db40eca9881bbb3f63bc43cc9b8f4d8345c6d7b227a82ab113bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\sofaj.exe
  "C:\Users\Admin\AppData\Local\Temp\sofaj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\cevij.exe
    "C:\Users\Admin\AppData\Local\Temp\cevij.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
dd4fbbe1e013c472fb449a183c052680

SHA1
3f08dd75e643b053b3ee3c522a983d3f20a6afeb

SHA256
9db347b34dc1697b4b8eaa612c322a6c6cef42c9a6ee084a45651624ec2d9b21

SHA512
bcb612a6c4769ecd9b0c8de60b674a87b969694703198062d1bf247fffa0281fc39d1ba97a0c04b8e3fa687d654fbf28c3d148563a6e26dfd317113b715d4ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cevij.exe

Filesize
172KB

MD5
13e3ae703fd20a902f234dbba291d552

SHA1
cb25a00850b56a07f0a9df9799b7c2d2208462e1

SHA256
e330e01f6814be7ab2c09a48c7753a158e4b7fb9223a2d25ca5efd6ec99f4774

SHA512
673b7a09134e43b5fb6b7a11e5519c0c1d09090e345a357d67aa6ea3f9ecfd6ef535db3f05553192df0de3236d3461d45ee6c8607cea058f54a4c114b4cdb701

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
10f9bd6993b36c74f446718d531b4e8b

SHA1
0ba73f7de3e9c0c5ddb429a5e42ec8aaa422748e

SHA256
b75b658856b3d85a5a29e6c0230c969d97058a1440805cb4ab366e3ff6efaec6

SHA512
56976a011fd284dcbbdf6bf9f2cdd085d2c124a16f4126074a7b5cab3853773d53d7a80e0d90d7f4e020a945bcbc9f23e1ab579c8a3e07a156d874e6f17172c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sofaj.exe

Filesize
332KB

MD5
7073d4d095175974d4b28ba77fae9c4c

SHA1
315c3a998c27eb71790dbc59ff230c504e3bd83f

SHA256
72853e9919bcbbd7ae555d478dd126dee504602ace3a2383586bd69b45c8ace8

SHA512
fad4e7dad1ca111cc466e1d66b10e07ee235a5f101e14b591b2689d4794348cd776ed8e6b9552513bcde6f711ae905bf55806903e2e4b43b546bf261880f85e6

Download Submit
memory/376-1-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/376-0-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/376-17-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3488-20-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download
memory/3488-14-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3488-21-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3488-11-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download
memory/3488-41-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download
memory/3776-39-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/3776-38-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/3776-42-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/3776-46-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/3776-47-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/3776-48-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads