urelas | 90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a

General

Target

90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
Size

332KB
MD5

65b4a3aa23c22537f52adee2b0bf5169
SHA1

8434a372b729cde9ee1d032db3306cf813cccb1b
SHA256

90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a
SHA512

8e444fa52bf1dfb7c45499b76dd998c529525f3ebcd970161bbb4e0b3883e1d062d15faec83e30043b27d5f94b3663fc5e63ea5142743739e2df075858af612c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66ci7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	kukiv.exe

Executes dropped EXE 2 IoCs

pid	Process
4228	kukiv.exe
1276	ivcic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivcic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukiv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe
1276	ivcic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4228	3092	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	87
PID 3092 wrote to memory of 4228	3092	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	87
PID 3092 wrote to memory of 4228	3092	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	87
PID 3092 wrote to memory of 2084	3092	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	88
PID 3092 wrote to memory of 2084	3092	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	88
PID 3092 wrote to memory of 2084	3092	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	88
PID 4228 wrote to memory of 1276	4228	kukiv.exe	99
PID 4228 wrote to memory of 1276	4228	kukiv.exe	99
PID 4228 wrote to memory of 1276	4228	kukiv.exe	99

C:\Users\Admin\AppData\Local\Temp\90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
"C:\Users\Admin\AppData\Local\Temp\90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\kukiv.exe
  "C:\Users\Admin\AppData\Local\Temp\kukiv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\ivcic.exe
    "C:\Users\Admin\AppData\Local\Temp\ivcic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
4388da8d47d2fad02169eef20bfbf4d3

SHA1
27ee900ad333f616b9e81c3a3e830292c46179b1

SHA256
ae5b756995b31b10b9516775ec855e473a9043630c8461ab11927a65f1f18f4d

SHA512
2b08bdfc1982f70a9868cb6c019247a10c7708cd92b622110bf49e32ea075aae4b3b256de2a640eff1481d0b7fa51cf29330f545a1fdd5d818c150d8c78b1f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
81c377418227a7c712c0fb82b7e51a5b

SHA1
5f8af7d971d03f334f927942a8d6280e48d0a509

SHA256
4d474478f843cbd3526afd2ac6ee719bf3f48a0766fc52250be163f3ba0f7215

SHA512
6907ce24f0047afa6015802f30158137c2d00a066d4cc5b399737d43ad7a0628ed5ed914a2b87649b6998598b1832c89be1de467ae95728da1ae6f1ff1bafc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivcic.exe

Filesize
172KB

MD5
6ed43d20567f4393888b91308f270077

SHA1
c64e8eee787cbd95b54ab070deb87c8aec0be8ff

SHA256
3bab0f500c90d5ddf181a1bd165d4afdc5d2dccb35148a62db77f8d048b6e208

SHA512
21a7406e00b9b188f4c33ba166c76e630393b44f1a610e5c0f15d5d19b8e99fd7bd91cb8b442063560afddd06c583ab9d31da8ca34eee0319f1a20b8cffdc73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukiv.exe

Filesize
332KB

MD5
3e6d47fa9a70e13c66172efe6f5fba85

SHA1
3a2d5e9f027f80060846c2f58b9ba85c7842c39b

SHA256
fedd5fb837d3007a21c5567093a41bae34fbb69523ba24e38e3a622d3ada9753

SHA512
e7c6039d17092045941419c6061a0b1e981c6cb00b5133635dee47ab3f81070141295247bba6c9097d36017af29cb99aac4aa81f9ed5cf1df7edbc01f82ec395

Download Submit
memory/1276-47-0x0000000000A80000-0x0000000000B19000-memory.dmp

Filesize
612KB

Download
memory/1276-37-0x0000000000A80000-0x0000000000B19000-memory.dmp

Filesize
612KB

Download
memory/1276-46-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/1276-45-0x0000000000A80000-0x0000000000B19000-memory.dmp

Filesize
612KB

Download
memory/1276-38-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/1276-40-0x0000000000A80000-0x0000000000B19000-memory.dmp

Filesize
612KB

Download
memory/3092-16-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/3092-0-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/3092-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/4228-12-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/4228-43-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/4228-20-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4228-19-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/4228-13-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing