urelas | 97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52

General

Target

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Size

332KB
MD5

efb9d248a446a3a7434267d9b4d123c0
SHA1

3fe98e4298e590b5cc2ee56260b39c34a6790832
SHA256

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52
SHA512

c88b18d6833b3dd913e67028926cb297866c2b1af65dc9c2e264860365004b525eda2b005d8bf9d3f7a330a4e259a7a44301ad82bf3c58d0ed4f3e0574fc36ee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYK:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	zacoc.exe

Executes dropped EXE 2 IoCs

pid	Process
4692	zacoc.exe
3564	uhgom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zacoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhgom.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe
3564	uhgom.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4692	2464	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	87
PID 2464 wrote to memory of 4692	2464	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	87
PID 2464 wrote to memory of 4692	2464	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	87
PID 2464 wrote to memory of 2308	2464	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	88
PID 2464 wrote to memory of 2308	2464	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	88
PID 2464 wrote to memory of 2308	2464	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	88
PID 4692 wrote to memory of 3564	4692	zacoc.exe	99
PID 4692 wrote to memory of 3564	4692	zacoc.exe	99
PID 4692 wrote to memory of 3564	4692	zacoc.exe	99

C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
"C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\zacoc.exe
  "C:\Users\Admin\AppData\Local\Temp\zacoc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\uhgom.exe
    "C:\Users\Admin\AppData\Local\Temp\uhgom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8ea4423a847b146a107fe9decf920b20

SHA1
3f20f309fe0c8f7f982820a018655276a6dba841

SHA256
9f07da084a4e9d8fb2716988a84f4f2f7e5e9f3068e5399503baaa8780517374

SHA512
afcbf286839811a850271ea186df37b0b8f6c342d832f856af07ca0f17b0dcd5546e99fe91800bb661a5a1bee904139d44a384ed771678a9566a5b4b50bd4b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8d11f37a610e54c297573c8df0a4e912

SHA1
494738b69438c7800631fb1c05d597006ca8c1c8

SHA256
48d2a5c9af47a11e81cab0bc5728c15a11bccb542f0bbcde3b3790cd4612ad4c

SHA512
59d9c9dd9fa8ebdb26071842c1f48dcdbe8920e43d77c25707daf31eec51d3e2ec1564591de2dacc0f19a7ee453a988471b1544c23abd25bd755132c78fe28d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhgom.exe

Filesize
172KB

MD5
39e782cae58830b32e056e3001149b75

SHA1
1560296dcc8df91a83107b6b23f23d30fc872e00

SHA256
ed07a02a9109ad319e9ad0fd2e59265c94944f4ce376ab7e8c5da3b25de757c2

SHA512
1cd88d7d4b904c16a7ef484f9c379b347688e854df8eaff03d9da3841dba0ec4bc5ab6cda081da63aac444e380e9eef282bcd0c5eb22a1c3e3eac08428c384e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zacoc.exe

Filesize
332KB

MD5
38514fa12c12f5184c494f5c73e33ea9

SHA1
1f9f55ceafd302274425510b0ac2d1b874836385

SHA256
10ef6161781330f5beb84f4112c75ba3568d3c417f025c1df9abb4d2d82c9e50

SHA512
f19f038a9f693e606bfbb278942e9df66ba8afae2300f15aadddd29ce4f4d46a20ea48076c83e48e99261edac0f80143d25395a1d267389724581f8ab245f3b3

Download Submit
memory/2464-17-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/2464-1-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2464-0-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/3564-47-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/3564-46-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/3564-40-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/3564-37-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/3564-38-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/3564-45-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/4692-20-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/4692-43-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/4692-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/4692-11-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing