urelas | 716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c

General

Target

716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe
Size

508KB
MD5

9c5fb0c62ec811e3ee09c3c038c3f4a2
SHA1

965460b96e0039bab84553fc48a86dcc9530a827
SHA256

716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c
SHA512

f367dc4f03ea54a0d5ff87ddade90a6c8b0e6e07c73d7c775c67221869a40a823e3edb3d66ecfdb7f4f4ceec3c96a310304ef07b03c53b72a4f1fd05822aa55d
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKoo:3MUv2LAv9AQ1p4dKJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xeogd.exe716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	xeogd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe

Executes dropped EXE 2 IoCs

Processes:

xeogd.exeonfub.exe

pid process

5076 xeogd.exe
816 onfub.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5076	xeogd.exe
816	onfub.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exexeogd.execmd.exeonfub.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onfub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

onfub.exe

pid	process
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe
816	onfub.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exexeogd.exe

description	pid	process	target process
PID 3852 wrote to memory of 5076	3852	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe	xeogd.exe
PID 3852 wrote to memory of 5076	3852	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe	xeogd.exe
PID 3852 wrote to memory of 5076	3852	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe	xeogd.exe
PID 3852 wrote to memory of 5084	3852	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe	cmd.exe
PID 3852 wrote to memory of 5084	3852	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe	cmd.exe
PID 3852 wrote to memory of 5084	3852	716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe	cmd.exe
PID 5076 wrote to memory of 816	5076	xeogd.exe	onfub.exe
PID 5076 wrote to memory of 816	5076	xeogd.exe	onfub.exe
PID 5076 wrote to memory of 816	5076	xeogd.exe	onfub.exe

C:\Users\Admin\AppData\Local\Temp\716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe
"C:\Users\Admin\AppData\Local\Temp\716a1ae7074f71915ea6c547cc890fa82838d24b11fc7e1778a78298d00b272c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Users\Admin\AppData\Local\Temp\xeogd.exe
  "C:\Users\Admin\AppData\Local\Temp\xeogd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\onfub.exe
    "C:\Users\Admin\AppData\Local\Temp\onfub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5c1dd70bdbd4dfcfceea0531acb2cf8b

SHA1
5e45d5a1c99513e59435b399c8505f696166b313

SHA256
b742d7d674f2590555cb69c78af2232cc5696d8e3a5abee68c68e26455008eab

SHA512
8a9c00c7745a6c2c2e69b76edf0aa7e0b0d261b06e3a689a7b33a04425d2b925eb07372acb6be1ebcf9399cd24e22ae22312e60c60337023f8740b9365cc9978

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f3209657ebf2f9e118d89ff461e16e04

SHA1
1575529915b930c94939e324331819f170f7c357

SHA256
de7392b5cea85d382a15720834b86c1a90426b92c7b6f3c91026c5dd95363a6a

SHA512
518f61072d8d71071de03da938d4bc4c57e4c36e4b5021249cafd97784c3156e25973fc3f5bff3d8301cfba77097c50ed931f329f03076ded0268c68c251d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onfub.exe

Filesize
172KB

MD5
6a4cc4f0f31f63da4bd1cb137a1f1dc9

SHA1
ff42f6518cda1dff1e55d8e98a19bb56ab5d645c

SHA256
7edce3bee342f5ff8d07c97ec09e8e8920d48c0c4364d2e7ce5c8c1e7cecdc47

SHA512
a5a0d9b606c47e9972e37ba440dfa83bd24a1ef399adeb05cb4c19e4b8fd97163b281cce6bd3d2705b9e48305c757001c232542ae51d3f291e86d918dfcb4a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeogd.exe

Filesize
508KB

MD5
48a8d179902ddbd6ef34c8372cdbe084

SHA1
3ee071589019f0ab9f63949f8b732c64e489f9d9

SHA256
7e7d592d0f7b56e5031cc102dfbadd0bebd3461af71e30f210220cdaf8d46d28

SHA512
0595502088199b9cd5811de82cea1c3f06c9af2d7ca2e44b0113285e196c847cf20473cf4f5fc7fb5c9a968422ed8afa1f14dc6489368e25a2241a6595fd3a81

Download Submit
memory/816-26-0x00000000001C0000-0x0000000000259000-memory.dmp

Filesize
612KB

Download
memory/816-35-0x00000000001C0000-0x0000000000259000-memory.dmp

Filesize
612KB

Download
memory/816-38-0x00000000001C0000-0x0000000000259000-memory.dmp

Filesize
612KB

Download
memory/816-37-0x00000000001C0000-0x0000000000259000-memory.dmp

Filesize
612KB

Download
memory/816-36-0x00000000001C0000-0x0000000000259000-memory.dmp

Filesize
612KB

Download
memory/816-28-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/816-33-0x00000000001C0000-0x0000000000259000-memory.dmp

Filesize
612KB

Download
memory/816-29-0x00000000001C0000-0x0000000000259000-memory.dmp

Filesize
612KB

Download
memory/816-34-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/3852-14-0x0000000000290000-0x0000000000311000-memory.dmp

Filesize
516KB

Download
memory/3852-0-0x0000000000290000-0x0000000000311000-memory.dmp

Filesize
516KB

Download
memory/5076-27-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/5076-10-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/5076-17-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads