urelas | 3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b

General

Target

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Size

332KB
MD5

0c532605bd6041f0da53a6a9ade4ccc1
SHA1

b94d3dd6f45d0553004adc2672ce539f4ea8d613
SHA256

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b
SHA512

2019433e7f79bac22372cf967745ee5113a19507a523f48cc896e6ca4a769702f448770e11bef8656a9485038bf41eb72c25b203d1897ebc6a128fa0c72f6d87
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY+:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

busoo.exe3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	busoo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe

Executes dropped EXE 2 IoCs

Processes:

busoo.exeafopu.exe

pid process

2680 busoo.exe
2276 afopu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2680	busoo.exe
2276	afopu.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exebusoo.execmd.exeafopu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	busoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afopu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

afopu.exe

pid	process
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe
2276	afopu.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exebusoo.exe

description	pid	process	target process
PID 4084 wrote to memory of 2680	4084	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	busoo.exe
PID 4084 wrote to memory of 2680	4084	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	busoo.exe
PID 4084 wrote to memory of 2680	4084	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	busoo.exe
PID 4084 wrote to memory of 2068	4084	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 4084 wrote to memory of 2068	4084	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 4084 wrote to memory of 2068	4084	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 2680 wrote to memory of 2276	2680	busoo.exe	afopu.exe
PID 2680 wrote to memory of 2276	2680	busoo.exe	afopu.exe
PID 2680 wrote to memory of 2276	2680	busoo.exe	afopu.exe

C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
"C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\busoo.exe
  "C:\Users\Admin\AppData\Local\Temp\busoo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\afopu.exe
    "C:\Users\Admin\AppData\Local\Temp\afopu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8ce8b29932ebadf525fb715e36148a52

SHA1
6ebcdfc2916987af7c6adabbbe3731614a745f6a

SHA256
4daef5587fdbc87677e9b08a1bc616a354407aa3137606ef19dfd5ca52a28093

SHA512
11dd37baa32ae031ebafb3fa5b694f330b6c614cdfd85b0521bc967a8f37296c761858b33e37b86d5c6c38c7cd9a10c65d6e67fa62bb308e71be352ec7c9b80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\afopu.exe

Filesize
172KB

MD5
ea9fe46fac720119eaf20d2e390b8e4f

SHA1
a79a0f81cf73870bac2c02972445c960a5bc6dd0

SHA256
987b852dedbd8c51899ab876761de3910ed2197c4a23e3f57ea8f6f9cd029999

SHA512
ed188515a97c097601e7ee88da96aee2f8b689b67776f7e4ec08e7a35870ec0edd3a1196f96ddbc57a7f0c9afb7dec0cec4d23fb43dd3d4944f99b887752f076

Download Submit
C:\Users\Admin\AppData\Local\Temp\busoo.exe

Filesize
332KB

MD5
88a561707a32b080e12e70aeee3597cf

SHA1
446cb07088874a438a1cbff64af87167273c2eb0

SHA256
d0cd2698a8137b7848d6421e9b97b23f1ab15a576e134a2d45e67daf9bd88e64

SHA512
c268702b35a2c2773f99cd9057705fd752b8483b5e1c74660c5511832969527f4c2a886a84f29d69fed3571fe18fc760e7b750428a95784ef19220ba241d1220

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b10e219939e790cf9839c1b1c9257cc4

SHA1
df06a11b1085ae28e8698d56dfebcc44370537c4

SHA256
7afaf5258e72a455e07b3b3d9f02157095d022cff76990fb4838e44808ceb38c

SHA512
a076f8a22bdd7132678563e9638054d728253e5fc39ae0eaf787bb3f875e4a306deec650eb1e38f1205465eed4d87d7997e61da41dd38230e636a5ce5765b7a4

Download Submit
memory/2276-45-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2276-44-0x0000000000B00000-0x0000000000B02000-memory.dmp

Filesize
8KB

Download
memory/2276-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2276-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2276-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2276-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2276-37-0x0000000000B00000-0x0000000000B02000-memory.dmp

Filesize
8KB

Download
memory/2276-36-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2276-38-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/2680-42-0x00000000008C0000-0x0000000000941000-memory.dmp

Filesize
516KB

Download
memory/2680-19-0x00000000008C0000-0x0000000000941000-memory.dmp

Filesize
516KB

Download
memory/2680-11-0x00000000008C0000-0x0000000000941000-memory.dmp

Filesize
516KB

Download
memory/2680-13-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4084-16-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/4084-0-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/4084-1-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads