urelas | c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c

General

Target

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Size

597KB
MD5

8fd85ee4b09ceab66733ac13dbf09e1d
SHA1

0bf74e1ba4927b718ae922b89f149fb75236efd0
SHA256

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c
SHA512

3ba8695775b981fe2ad4a8ee025dea547d58789213849b2b681448452b2921fe43876dfa7a2aece26aaee3aed10366761c159c1b829ffb5022c997d0fe4dc3bc
SSDEEP

6144:KzU7blKaPcbhj+bB7ktZeRnVDJm0oNjOPdInpB8:MU7MLb4BQkntwNjqdx

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cikeo.exe

Executes dropped EXE 2 IoCs

pid	Process
1176	cikeo.exe
4980	liibs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liibs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cikeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe
4980	liibs.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1176	1956	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	85
PID 1956 wrote to memory of 1176	1956	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	85
PID 1956 wrote to memory of 1176	1956	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	85
PID 1956 wrote to memory of 4084	1956	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	86
PID 1956 wrote to memory of 4084	1956	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	86
PID 1956 wrote to memory of 4084	1956	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	86
PID 1176 wrote to memory of 4980	1176	cikeo.exe	106
PID 1176 wrote to memory of 4980	1176	cikeo.exe	106
PID 1176 wrote to memory of 4980	1176	cikeo.exe	106

C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
"C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\cikeo.exe
  "C:\Users\Admin\AppData\Local\Temp\cikeo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\liibs.exe
    "C:\Users\Admin\AppData\Local\Temp\liibs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b45e2f663f7f9bc2d10eb8e125539218

SHA1
01e788019befaf86df514a2b888ee8041406c745

SHA256
e29e4674cb422acbffadff5f79d7f611cd78322d03913757cea07401bcfd2405

SHA512
25d818b7fbe97c858a6aa61424e553fc5056cc9f1c22759e107a40d3d6d6b5a099e488dad6e15c5cbe11ef0750e6d3c80aaa47b99bed89e79da451a4729b96e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cikeo.exe

Filesize
597KB

MD5
bb43d4722039684b228c31387fa32afc

SHA1
b0f560cbc823b3d591362399f0db2d9b70b2dc0d

SHA256
1fa57d716b1fae25219a60df4e202d6af8adea332b3f51ea2397bae5ce9df391

SHA512
84fcfa5901b3f8f365ce153deb894817a733fba74b79f24b485f1e188695cfa4bf028723c31c3d564c3e0904aede4dae62f9106428a535a50bedde3785076ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5235f19a6e68b4cfac3732733cdf502b

SHA1
1240134754dd8edda9fb75535b2026e05cf7ab5c

SHA256
40b0a1d93f37c7b2eeccc1eae158358ab24839fa8b65fc5969c905a57d150561

SHA512
9ebf7e74d02a76a69a08335208bddb036b1d49b7694fb6281c1b9ca2bbcea267e7313295ce508e6f749defe5af60ee1980b856769dafde86781355b7cd3072c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\liibs.exe

Filesize
211KB

MD5
e76870a80ffb88d0334e722312233aa6

SHA1
beb183150fb5ade5b402338504456489814c3b29

SHA256
0f61b1df905e3201387be847f5421665183a001b3f6bcd5c7556d18e630ff108

SHA512
65dca941d53d40348defb9a98d310e062c9f8f88511816b2853286dfbdf91d957ccdbd1f2eaf37fcc9e40682f660d38889161084b1957748cbc9731655c7198d

Download Submit
memory/1176-16-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1176-27-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1956-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1956-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4980-26-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4980-25-0x00000000006C0000-0x0000000000771000-memory.dmp

Filesize
708KB

Download
memory/4980-29-0x00000000006C0000-0x0000000000771000-memory.dmp

Filesize
708KB

Download
memory/4980-30-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4980-31-0x00000000006C0000-0x0000000000771000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing