urelas | 07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca

General

Target

07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
Size

330KB
MD5

0287a47c2cd95341f1ab1b29438eac59
SHA1

228e48db10142555d09e612015cc860603df4aed
SHA256

07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca
SHA512

c3e45428955053a8529237f908b711cc2ece3487f284ea92824036ce1080f2071447829040dfae389e6ccf15deddf220ba92998ec60ad95370c33562c567dbdb
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOF+:vHW138/iXWlK885rKlGSekcj66ciq+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cazip.exe

Executes dropped EXE 2 IoCs

pid	Process
4132	cazip.exe
1784	wolit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wolit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cazip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe
1784	wolit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4132	4836	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	83
PID 4836 wrote to memory of 4132	4836	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	83
PID 4836 wrote to memory of 4132	4836	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	83
PID 4836 wrote to memory of 5072	4836	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	84
PID 4836 wrote to memory of 5072	4836	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	84
PID 4836 wrote to memory of 5072	4836	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	84
PID 4132 wrote to memory of 1784	4132	cazip.exe	103
PID 4132 wrote to memory of 1784	4132	cazip.exe	103
PID 4132 wrote to memory of 1784	4132	cazip.exe	103

C:\Users\Admin\AppData\Local\Temp\07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
"C:\Users\Admin\AppData\Local\Temp\07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\cazip.exe
  "C:\Users\Admin\AppData\Local\Temp\cazip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\wolit.exe
    "C:\Users\Admin\AppData\Local\Temp\wolit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
771fa4d03ae459e185d1571c142745bd

SHA1
b767e9597db7cf75b4d012762fbd9f53d99bf862

SHA256
417291890d62c7ae0804026988b90379fdc1c5d05c8d04bafe89a2b32dfd4c30

SHA512
3865ff0477f1d8679fa0e71ae76ff31a9512e23b10513bd0cc58bb58d81d60a1c1c35c26aa68673a74b0fd76052fdf797935bfd30f8f9590a83adc82e42f475c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cazip.exe

Filesize
330KB

MD5
8ffb2baf5e72897b3a5d413c034accc0

SHA1
39fbd0008d505520d37fb58abc942db2e7b83d3e

SHA256
ab9e94d4a5e3521af16be84b98bafb17bbf7b956aad88d304e36d57a1c4c76c7

SHA512
7386dbef6d8c010f26dc93f40acf8f22889234b576f9a8a4082eb9dc7078235b955e1aef733586869c93ac5dc1aae6e137a632f475abf812da473484ca1926d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8af158654753f3c91b49b74b4a2f5b86

SHA1
0d19b3aa7dd4069ecf6103e6c8d4a328deaab8f6

SHA256
99bf7e8231d2c2db9ad689192e1f0f524bebba70539ad424465fbb33bbb37b9a

SHA512
ae6dd51d0b7ef68c1abc3ccd79533a08fcdc20db6b14f08230f9de82d65dfa03aecf9eed1d9168a617a0861efafff15ea29d072a8e67986cec2ae9bf8a43bbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wolit.exe

Filesize
172KB

MD5
793fd1a60767ba3d0004bad42a81078f

SHA1
decb435c97038795746c53ed731f644228213c77

SHA256
5a486bf55e42ce969f8369c94fcd59bc420279203f433027eb4c4065b9edf5dd

SHA512
ce51c4cb6d111401b693754bfda51441bc4fa29436a26026eee7be9b8a236aa0d37f8b6795ee6fce68998ecf444fdb46355c5266364fff54036f79a39b22e4cd

Download Submit
memory/1784-46-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/1784-45-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/1784-42-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1784-43-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/1784-39-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/4132-14-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4132-20-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/4132-38-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/4132-10-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/4836-17-0x0000000000750000-0x00000000007D1000-memory.dmp

Filesize
516KB

Download
memory/4836-0-0x0000000000750000-0x00000000007D1000-memory.dmp

Filesize
516KB

Download
memory/4836-1-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing