urelas | 08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c

General

Target

08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe
Size

334KB
MD5

a028ad301750d80f90286320c4447dd0
SHA1

d21f9b6e7516b5af96caaaaf600f2cdef94fa9cf
SHA256

08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c
SHA512

0d31a15091e37fe85b65b16dbc4bc8adb6f66987913824c160ab708047d51a3f96fa946a6553705cd4b39bbd9709c2d238950719e5ee14d2e0f82a9db23efdba
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66cix

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	qimuu.exe

Executes dropped EXE 2 IoCs

pid	Process
424	qimuu.exe
4496	siamp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qimuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe
4496	siamp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 424	2148	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe	87
PID 2148 wrote to memory of 424	2148	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe	87
PID 2148 wrote to memory of 424	2148	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe	87
PID 2148 wrote to memory of 696	2148	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe	88
PID 2148 wrote to memory of 696	2148	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe	88
PID 2148 wrote to memory of 696	2148	08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe	88
PID 424 wrote to memory of 4496	424	qimuu.exe	109
PID 424 wrote to memory of 4496	424	qimuu.exe	109
PID 424 wrote to memory of 4496	424	qimuu.exe	109

C:\Users\Admin\AppData\Local\Temp\08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe
"C:\Users\Admin\AppData\Local\Temp\08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\qimuu.exe
  "C:\Users\Admin\AppData\Local\Temp\qimuu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Users\Admin\AppData\Local\Temp\siamp.exe
    "C:\Users\Admin\AppData\Local\Temp\siamp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
bd79dbd44d14f0b3f15d726bb37ead07

SHA1
8060d0306339115bde5b55889fa238dbaf1ef34f

SHA256
e675fb7c52d8d4c380ec2ae263b1284d5eab2de83f24322569490fa7ee024f62

SHA512
5a3d7b5703ab9318d025c0dee399fabb368731c08a9798f92b226ea6fc3a980fe863e39d31966a01e4135526a71558287d7f846a162386ec6cc1eaf83f430311

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fdc5aeee44cd592f886da39c0dde1931

SHA1
420731aea99e27025637c3c70401b885c1ebe14b

SHA256
14977ae085980d72291a77c0a98a05b856bf021c93eadd43d7d1ac5f0ea1f5cc

SHA512
20501ec04484e83155158fa2d88b46fbee93bc5c3947367975318f2202428114c07559a053593ba0d7d1984b8e65b239aacb7c6700eb2a9f0f4fae713c286c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qimuu.exe

Filesize
334KB

MD5
59fdbe2161e64bf2e21cb1a657f8c28a

SHA1
1ab26b7f72411b75513ec5846d47ece57561bdcd

SHA256
ff9dd95bde408e0c6a143f76b082ac68a4e3f379cdab0fd47d97386760fb3e9e

SHA512
ac95c24a1888362e0cf18ce2a5ba816da5db9d79edc89dd48f78f2858dca1f3d41ec701c960ac9af79f1db667926de88b8f5b09115edd3b6749b85815f703711

Download Submit
C:\Users\Admin\AppData\Local\Temp\siamp.exe

Filesize
172KB

MD5
2e7fb658e118a29dde0b2c30e8c67108

SHA1
0a68ffda5b87d776589f61c9fb311629f2e75c95

SHA256
1c7116dd1ff5f1cc93d7aeaaac6649ba3ccab3e71146e794be97525ee14ba0b6

SHA512
9ef9eee8ec80627eb09270e319d46efb97460a31a104f900ab5e7b789c2542a13658ecebb3d34d51423e88923440ce093017497efccb0fc9a01be15ae8b6057c

Download Submit
memory/424-20-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/424-21-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/424-11-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/424-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/424-44-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/2148-0-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/2148-1-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2148-17-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/4496-41-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/4496-39-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/4496-38-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/4496-46-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/4496-47-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download
memory/4496-48-0x00000000003B0000-0x0000000000449000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing