urelas | 1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3

General

Target

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
Size

450KB
MD5

536da247a62bf70f370825f5cdf58b99
SHA1

a5a3655d28c08d38c72b8ad71859b14f1661ffc9
SHA256

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3
SHA512

0d675bde335e7ea5765ef011ed5c428424a7b0720a3a71c403305cd0aada8a8f58bdaf277a976d9eeecd86f2e773aec81b6802e2eeaefbc4052722540187374a
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTA:CMpASIcWYx2U6hAJQnx

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exeecbil.exeluhowu.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ecbil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	luhowu.exe

Executes dropped EXE 3 IoCs

Processes:

ecbil.exeluhowu.exepixyj.exe

pid	Process
928	ecbil.exe
3440	luhowu.exe
4388	pixyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exeecbil.execmd.exeluhowu.exepixyj.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luhowu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pixyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

pixyj.exe

pid	Process
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe
4388	pixyj.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exeecbil.exeluhowu.exe

description	pid	Process	procid_target
PID 1964 wrote to memory of 928	1964	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	82
PID 1964 wrote to memory of 928	1964	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	82
PID 1964 wrote to memory of 928	1964	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	82
PID 1964 wrote to memory of 1892	1964	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	83
PID 1964 wrote to memory of 1892	1964	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	83
PID 1964 wrote to memory of 1892	1964	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	83
PID 928 wrote to memory of 3440	928	ecbil.exe	85
PID 928 wrote to memory of 3440	928	ecbil.exe	85
PID 928 wrote to memory of 3440	928	ecbil.exe	85
PID 3440 wrote to memory of 4388	3440	luhowu.exe	95
PID 3440 wrote to memory of 4388	3440	luhowu.exe	95
PID 3440 wrote to memory of 4388	3440	luhowu.exe	95
PID 3440 wrote to memory of 3376	3440	luhowu.exe	96
PID 3440 wrote to memory of 3376	3440	luhowu.exe	96
PID 3440 wrote to memory of 3376	3440	luhowu.exe	96

C:\Users\Admin\AppData\Local\Temp\1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
"C:\Users\Admin\AppData\Local\Temp\1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\ecbil.exe
  "C:\Users\Admin\AppData\Local\Temp\ecbil.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\luhowu.exe
    "C:\Users\Admin\AppData\Local\Temp\luhowu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\pixyj.exe
      "C:\Users\Admin\AppData\Local\Temp\pixyj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
bab5589405de7ca0c5b9c4171c1f29ba

SHA1
9af93b3744f7f0778e56b910f2db896be660c595

SHA256
eba41b2ab0813fd62dd0eb11eedeec782da2d1998e92b0a9d88b178c9211a8ed

SHA512
aa1a9daf16675d861b50dbda7e1a340350fe8c07f978eb72da7302598cb64e400cb741ef4b49cb2fae4fa92a1157049876f7446b01ad54d29b420ad6c09fcd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
80c5edf3402cf1d19d0135465a29d096

SHA1
74100d6e70e39e5341f881b4158312115a43f782

SHA256
be89dc01e22ad6678bc067dd145a7e1e1155f9764ad3b1a30175ff207c0ac9fa

SHA512
e5205133f2b77585a6cdde93fb083aa5ffa4758ca82ed9fb8ce86ffe9d3cf56b2cace8909ad889b4be35e46a4baa4e6118d5a0db0a909246c7e62f412497836b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecbil.exe

Filesize
450KB

MD5
8459b90df55eedd9e22cc3e6e49ece64

SHA1
cf74e90b95961da3bb64166ca70d299d85697f0b

SHA256
0257a8313ff5cbc9fcf7c91d8f4e55b864c8e40bdf055f27f8d048873dd0f91d

SHA512
ad1e4a1f38201067d12e154cc8a0d78d926b582ed74edd147f7fffb35cb1a0d0a267da1f993343447f47b9079013c9eec52900d1a08d2ee3ff5fa9a9aa648b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
30d02a8f053ed349b8c4a98f41b4beb1

SHA1
3a9957797f4d5e8d3d2c7cd8185abb6c3ab9b992

SHA256
e841da8669a9897bbd0e328d2a6a5073fb0ffd391b4d676d3c603c27be7ef83c

SHA512
c01aa4ad578a48f9a3270a241e0f10d9db27cd8917e0de20af00e3682cf1ea7b95b2ebab479365f663fea080b02fdd178dac475b64f4afbe402a6f82f4e661b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\luhowu.exe

Filesize
450KB

MD5
a0accc327fca03b3d03ef2f3b0affc5b

SHA1
8c95f5597c6d783ddbb95e37f6a7b011c920b233

SHA256
9c08b9a38a8dca97e8ff0ba1bcaea1d9c9cfc6f97035e182f8d46c0602740239

SHA512
10c1a0b512e1961a89f4a9212ed6b409a9a1339d050c202c45953d27c2fe4f8daf07685ed895932319abee9cbf0f318f000e5f07b4b1ba0cf331fbab4acd1bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pixyj.exe

Filesize
223KB

MD5
4655bbddfb12497623094a4dfa0ed000

SHA1
530c5b386e0abe28f437ee17f049d894da4ab483

SHA256
d438b9623c43e9c0231187be7788e9095b02976028efea02a6f55dc136048b8b

SHA512
d4fafd1504a54d60970a65ac1dbb22eddf4022e36e442376b50ac4584c8d4021f1004bf0812ac73e260c6fe7d9c767973eac20bac42e83b2663e23879ddc3fd6

Download Submit
memory/928-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1964-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1964-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3440-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3440-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4388-36-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download
memory/4388-41-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download
memory/4388-42-0x0000000000840000-0x00000000008E0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads