urelas | 2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7

General

Target

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Size

327KB
MD5

8683596a79ee62e258067bbadaa4e0b0
SHA1

2804b7a54623958f9feae3720d47cf43d190301c
SHA256

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7
SHA512

776cf6027bfa30d32fb61e54cbed0e9a34a9e20e6645f83cf2e434952a7b9c641410b81ddd816570c41449ce30e90b33b21041d34ba43419526b9ff664fbc97d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exeduecd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	duecd.exe

Executes dropped EXE 2 IoCs

Processes:

duecd.exesoaru.exe

pid process

3712 duecd.exe
1720 soaru.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3712	duecd.exe
1720	soaru.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesoaru.exe2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exeduecd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soaru.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duecd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

soaru.exe

pid	process
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe
1720	soaru.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exeduecd.exe

description	pid	process	target process
PID 880 wrote to memory of 3712	880	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	duecd.exe
PID 880 wrote to memory of 3712	880	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	duecd.exe
PID 880 wrote to memory of 3712	880	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	duecd.exe
PID 880 wrote to memory of 4328	880	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	cmd.exe
PID 880 wrote to memory of 4328	880	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	cmd.exe
PID 880 wrote to memory of 4328	880	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	cmd.exe
PID 3712 wrote to memory of 1720	3712	duecd.exe	soaru.exe
PID 3712 wrote to memory of 1720	3712	duecd.exe	soaru.exe
PID 3712 wrote to memory of 1720	3712	duecd.exe	soaru.exe

C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
"C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\duecd.exe
  "C:\Users\Admin\AppData\Local\Temp\duecd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\soaru.exe
    "C:\Users\Admin\AppData\Local\Temp\soaru.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8f89209875b68dc7aeabfe4e5d52c438

SHA1
2c9fc8e53f1dbda9a7d4a30f563eec47b2dba870

SHA256
1fbe0b77c72646d6661853e1ed49513eac6cd002259fbc2ccb8a3550f6e79725

SHA512
264828e36193cb454896c4243afd62f27fbd5838903f349ea31998c8de52ec6062f4ae7531d8385613dd01d1f6587d077ac36fa0a9b1a01eb8b7b531346af803

Download Submit
C:\Users\Admin\AppData\Local\Temp\duecd.exe

Filesize
327KB

MD5
7a9f6d50ff778e97757cdabaa6a1a53e

SHA1
402f8e4590ab9dd035c8d65ff765bcaae91ea36c

SHA256
835485b34398fab7843f1ff91fca7ebf3ee002525919f4238b1c65c98bd5eeae

SHA512
66819f2a3b10de044a0f4639fe98e1f2d2d3db73e3bd97c1f092246acdc85967fd0ae621dcb7cfb974925895819fed90896ca7bd27ff542d7346c8eaa72a1ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c35f1972ef21af20bb3e3ccf9bea3377

SHA1
920316c4ff59b744b6039e2b7bf3cf5f46e04cab

SHA256
4858888437127c3501fb9b7847c9eaddab083d3e1522dff3994a2f0d4a625270

SHA512
d9dca2ac59c1d2be1b177c3f1b47cb7da31d0b738f50476f0a0681ca09b5a1cc03e1541ee6d30dc559f31dcd1e88f479e734b9e0350a7b3ef19606db5e6e5e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\soaru.exe

Filesize
172KB

MD5
1651936fa97e29555df68a1cf2cc7434

SHA1
87cc6f0114591bad15b3978164dd61f8eac43e42

SHA256
1826dd0a515d14b01d5e93f56879fd09e3be995212849bf6bd94dca7052b7867

SHA512
1a22651246a562ca52cd4d876f76b6dfcba39ffc0241418a54717d0c1251bf7faad9b7d977a3cafdf43556799168204741147791e52b3468fba620234df06c1e

Download Submit
memory/880-17-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/880-0-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/880-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1720-45-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/1720-50-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/1720-49-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/1720-48-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/1720-40-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/1720-39-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/1720-47-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/1720-38-0x0000000000B50000-0x0000000000BE9000-memory.dmp

Filesize
612KB

Download
memory/1720-46-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3712-21-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3712-43-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download
memory/3712-20-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download
memory/3712-13-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3712-11-0x0000000000390000-0x0000000000411000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads