urelas | 23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d

General

Target

23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe
Size

404KB
MD5

984678a2778ad4da6b797e68b64f1571
SHA1

572ab643708abc1ccdcc76f07d7ccae243015fb3
SHA256

23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d
SHA512

f287f6b79f176884745cd1e3f28fb2d8284d9bf7b05ecfdd212e00def7fbd4baa6de51c654496d01b2d742c2acc3ad922842581c51d2fdb2f92d397be40346db
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohQ:8IfBoDWoyFblU6hAJQnOS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	riwuy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	yvwugo.exe

Executes dropped EXE 3 IoCs

pid	Process
3512	riwuy.exe
2068	yvwugo.exe
2900	sokya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvwugo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sokya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riwuy.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe
2900	sokya.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 3512	872	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe	85
PID 872 wrote to memory of 3512	872	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe	85
PID 872 wrote to memory of 3512	872	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe	85
PID 872 wrote to memory of 4720	872	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe	86
PID 872 wrote to memory of 4720	872	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe	86
PID 872 wrote to memory of 4720	872	23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe	86
PID 3512 wrote to memory of 2068	3512	riwuy.exe	88
PID 3512 wrote to memory of 2068	3512	riwuy.exe	88
PID 3512 wrote to memory of 2068	3512	riwuy.exe	88
PID 2068 wrote to memory of 2900	2068	yvwugo.exe	106
PID 2068 wrote to memory of 2900	2068	yvwugo.exe	106
PID 2068 wrote to memory of 2900	2068	yvwugo.exe	106
PID 2068 wrote to memory of 4424	2068	yvwugo.exe	107
PID 2068 wrote to memory of 4424	2068	yvwugo.exe	107
PID 2068 wrote to memory of 4424	2068	yvwugo.exe	107

C:\Users\Admin\AppData\Local\Temp\23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe
"C:\Users\Admin\AppData\Local\Temp\23d278aaf68acace9108d15d3ae47628810d544d4fdd7a3e6808efd927e37a1d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\riwuy.exe
  "C:\Users\Admin\AppData\Local\Temp\riwuy.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\yvwugo.exe
    "C:\Users\Admin\AppData\Local\Temp\yvwugo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\sokya.exe
      "C:\Users\Admin\AppData\Local\Temp\sokya.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
09b7ead0ed7c87d21d3aa3e5a455268e

SHA1
27031da15b4d60147c6291a104a1d756ddbb34cc

SHA256
ed092e866538c302d7d5c423374589b319401a788ebe4530c015f6ea9b901b5c

SHA512
08325d304c89353c8ff25a2c1fac967e7301d484c51e5e4cbd6c2fcbd7cdb42bd3b603b9344f83728eb9a875f358f19648324af041a0ef1ed0d90538688c41b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
7115b88dec00990180e209c717163f7f

SHA1
5e7d95054d462d5fe5fdccc55ca94a97571d7d74

SHA256
00396c0888fbdc8f66428b94cf4eb4ffec46dc35a959f114cf2921b4ad3d14af

SHA512
14ae0df122f55055c53c45960f5035061de8e5f044b6bd1a477cfd063f88dc76c5f84c325469a57711a518fc50abb92cbfc39739e40544a99f89bd6b29fd1c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
01d3e815a4298e3127dea94d4a85760c

SHA1
e410264b6e7417cc4003f91c364efb774bbff28d

SHA256
1ebb7b8dbe0eb0c01f15c99a19b52ce30a570375af938018a89696cd0d33a0fa

SHA512
75ee5c4c1718ef43f1d1804b0c846d88ba191d8b9bee3e243341c369d5f2ae73acf8494ce3c12038ab5005ded8657433595bbb661f91b5682d599bfd9ed7c0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\riwuy.exe

Filesize
404KB

MD5
aed222f4b135126e636de960241c47c9

SHA1
42d437a7e9773464800e8cfb69a206157b30def2

SHA256
29820fadd7747a8bd3c2acc00f9cc9b737658b50c951e92f87cd0fcd4fa0f5f2

SHA512
359434455250be09e2d203c2cd8c3fff478380ccf04b22422197369dbda6a4ece22be4b1f1785c78d540bcb3d975c4c39b23130c364ab8d9c6a306fa0748409e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokya.exe

Filesize
223KB

MD5
55ecd1c7461109d430a88082852b4df1

SHA1
514aefedc1779fb78ac08fa966818bb4023e4deb

SHA256
8e76ff48c2cc7fd7787cb1b6ce7e2e9992c3ab36927473dad78f028e18b0a4c7

SHA512
e733b6a6808664a5eef0ae9ee7a2bd2c8928bdb28f6b427cc7b6ca205e9fbd20e825e9702dfd805cd02e109e642f2254e0378ab54dfc6ae51cff785e910c3cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvwugo.exe

Filesize
404KB

MD5
01f2f99393e9aefab3396c36cd76e58b

SHA1
76004d034bbd973b70e7758bf9b580e0f445e8ed

SHA256
be6420847bcfee2134ee5e2f8321cfa1dc62d7b6e2fb0d195427b01a98b3e59a

SHA512
c6403b93a73589643ea7d5fdd1e071c53a3752513dffbe02701054e182a4d73b1d0c8d2aad8b08ba6f6832267a7e8b3888d1b5e2efeeaceef804de117c5e8a35

Download Submit
memory/872-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/872-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2068-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2068-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2068-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2900-37-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/2900-42-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/2900-43-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/3512-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing