urelas | 177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9

General

Target

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Size

553KB
MD5

d6c7c30a81e11dc1c86a310a1ae80961
SHA1

7c363777198b30a0f8e90df768f51396eb3d78a1
SHA256

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9
SHA512

d85a4cef7b216f99e0da92b8b147659ec18e3e5ae17dcb4014aca1d599464e44bc0ca7d78bc2ac3f7f345e2270416f7a35693aa325df50690275924b2f7b2caf
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlee:+rt4/NArwjs5olB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exegemuw.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	gemuw.exe

Executes dropped EXE 2 IoCs

Processes:

gemuw.exeugcur.exe

pid	Process
4268	gemuw.exe
3488	ugcur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4516	3488	WerFault.exe	94
4716	3488	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeugcur.exe177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exegemuw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugcur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gemuw.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exegemuw.exe

description	pid	Process	procid_target
PID 2524 wrote to memory of 4268	2524	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	84
PID 2524 wrote to memory of 4268	2524	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	84
PID 2524 wrote to memory of 4268	2524	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	84
PID 2524 wrote to memory of 404	2524	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	85
PID 2524 wrote to memory of 404	2524	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	85
PID 2524 wrote to memory of 404	2524	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	85
PID 4268 wrote to memory of 3488	4268	gemuw.exe	94
PID 4268 wrote to memory of 3488	4268	gemuw.exe	94
PID 4268 wrote to memory of 3488	4268	gemuw.exe	94

C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
"C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\gemuw.exe
  "C:\Users\Admin\AppData\Local\Temp\gemuw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\ugcur.exe
    "C:\Users\Admin\AppData\Local\Temp\ugcur.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 216
      4⤵
      Program crash
      PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 224
      4⤵
      Program crash
      PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3488 -ip 3488
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3488 -ip 3488
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0f8b90ae5876106b0173d2f6bb3c96c3

SHA1
44ae65b3871372c78bc3a6ac75e146a2e010026b

SHA256
e342bf119c88732bbedd6943e31f01255614c34f20079e5958da30a96e802910

SHA512
ebcc4af2c96e6c919594316d1317e3b2cd471774f030bd645ada4d8a3c6010a36b582df29c4e8b83a39ffd779373ac8411931c77931052ddcfa9e0b5f5bdebf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gemuw.exe

Filesize
553KB

MD5
5d798213df78c0b70dd048d5d03f174e

SHA1
e18dcf5fb8ba4ba2257ecc83cd16cb23057bc673

SHA256
ad785520ecbee7420f3ab73af5365e097808702b1864190431d131c189923e6c

SHA512
ce201d8e00292203dfdca73f31823c15ccb93b4d39d9d32c2289c03cffea34a6d6e35b86e904c39a6d0366d28664ff67c53d6b0764c66fdbb048ecf1f41e3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
057de64bd1c4ca74f42757cf5a924e5c

SHA1
b043db402455fdb21b3e45be4690660e4cfcdb27

SHA256
c58e7bc9fde13920300c08903095f190651430f9f927a891fbb45b462af8162c

SHA512
6e2e229b596d6f3cf83cdf467e909ba7fb24b0d320766c96c6f5509d7325deb08e36b3c29f81286e22abe32f941ea2a2a72ace62924cee7696dc1c3a400683cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugcur.exe

Filesize
231KB

MD5
dceb31a500f3acc1af5534625df6003b

SHA1
46ad6af2d2bce7e1fda30b8667a45f349e2c1a2d

SHA256
6b1a8b863d252e78215f55f2b4fdf86a6c05d74fff295582f4f64e86671b68ac

SHA512
8cb5dcc89bcedb8d0eb5c7a89b503a1f212a0dd9f1a33931f1d0e4fb131f2bad08192909b920ddec2336a978114d69a999ee53fe3d12eef2f1f9ff3a0e5f129e

Download Submit
memory/2524-0-0x0000000000330000-0x00000000003BF000-memory.dmp

Filesize
572KB

Download
memory/2524-14-0x0000000000330000-0x00000000003BF000-memory.dmp

Filesize
572KB

Download
memory/3488-25-0x0000000000C00000-0x0000000000CB3000-memory.dmp

Filesize
716KB

Download
memory/3488-28-0x0000000000C00000-0x0000000000CB3000-memory.dmp

Filesize
716KB

Download
memory/4268-10-0x0000000000640000-0x00000000006CF000-memory.dmp

Filesize
572KB

Download
memory/4268-17-0x0000000000640000-0x00000000006CF000-memory.dmp

Filesize
572KB

Download
memory/4268-27-0x0000000000640000-0x00000000006CF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads