urelas | cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8

General

Target

cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
Size

404KB
MD5

abe0b89899d9cc0a84ab562966c4b514
SHA1

c166ac96ccd31af9314b4cf22dc87800c3ad3481
SHA256

cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8
SHA512

b2097b97164eb3a06ac43e0881a7c89949fa55b029e734fd2cdff36acacb17219ed9787c21fb7f26a842afebabfbc4a1b8317b1fb45e5b8a5484dbac0739631f
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohO:8IfBoDWoyFblU6hAJQnOU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	uhxywu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	poudd.exe

Executes dropped EXE 3 IoCs

pid	Process
3552	poudd.exe
1700	uhxywu.exe
1880	ekcod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhxywu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekcod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poudd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe
1880	ekcod.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3552	2228	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	82
PID 2228 wrote to memory of 3552	2228	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	82
PID 2228 wrote to memory of 3552	2228	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	82
PID 2228 wrote to memory of 1256	2228	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	83
PID 2228 wrote to memory of 1256	2228	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	83
PID 2228 wrote to memory of 1256	2228	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	83
PID 3552 wrote to memory of 1700	3552	poudd.exe	85
PID 3552 wrote to memory of 1700	3552	poudd.exe	85
PID 3552 wrote to memory of 1700	3552	poudd.exe	85
PID 1700 wrote to memory of 1880	1700	uhxywu.exe	95
PID 1700 wrote to memory of 1880	1700	uhxywu.exe	95
PID 1700 wrote to memory of 1880	1700	uhxywu.exe	95
PID 1700 wrote to memory of 4740	1700	uhxywu.exe	96
PID 1700 wrote to memory of 4740	1700	uhxywu.exe	96
PID 1700 wrote to memory of 4740	1700	uhxywu.exe	96

C:\Users\Admin\AppData\Local\Temp\cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
"C:\Users\Admin\AppData\Local\Temp\cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\poudd.exe
  "C:\Users\Admin\AppData\Local\Temp\poudd.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\uhxywu.exe
    "C:\Users\Admin\AppData\Local\Temp\uhxywu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\ekcod.exe
      "C:\Users\Admin\AppData\Local\Temp\ekcod.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5434c6916c3369e532eb381e70b6e71e

SHA1
1a029191621ec82ec9f488bb2f0b2ab9d0f38964

SHA256
dc9ebdaf91e6bbeeabfea3ecc21500bba94b08094b1b6a17173436bd5267548a

SHA512
3f5cdfefbc7ce185e543d445410170ce33f8fba4898a79d05105857ad65bf22b1d1fb1e61f1336ac2b109e10e515c1c08db731d9489f0e1b588d770d3844b0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
1b46df8decd496516a36a3b0b4775cf5

SHA1
d9e1cb1123ae97fe0b2cdb5864fbdee80ba31122

SHA256
08be487b3099437b87492c6386b26c1408962876512f894c3c2563d2bf117f62

SHA512
5bb7e452601f527cabf6cef8da9e8ba12c7647b5735fbaa12fdf977dd4801acf20dd6aacc6bebbcd189d2cd2a1a21a0f4c9121be00158fe00f3b0479e5c534de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekcod.exe

Filesize
223KB

MD5
8587a3517d2770f7b02a04e14a528d77

SHA1
e9e4f98a3fb380df383e41661fa9075b5bbaa51b

SHA256
46b4b8855b6af934f5389171e4a7ffbe598a39a48d370f913a4e75df0e3f1a44

SHA512
76b51fa9421af193bc6443d1e48bd5f6fbf31a2665d8973037ae2f56463dd6f64a744058044d3a6ff76c0fb0f71263b3298ed160c917df84d43c5eb0536c0ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
63a531c746aa366b79f14c560e458f34

SHA1
6d4bfdf359e133a578c032c29a448701e77dbd8d

SHA256
05c24e42acf21d6a5d064808d45dc696cb92213e70081eb06e0fa520bacf4fa3

SHA512
8d402c18ce72081c6aec785e3bae7701cc3100e8b7979e227c92de43044c0cee611175c345daf3fff4e2c8c26e55108e366784c7e261aeabbfd8b55ca2dcf5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\poudd.exe

Filesize
404KB

MD5
7b66ec30a3081a3da8a9531bfe903512

SHA1
d7327fcc84a4c2bb0a17b31561046b36fb4f5a4e

SHA256
ecefc474dd42a1699947c5afcbc7ae0ccf73f8a821907a500b1f7bfb5d09e486

SHA512
7572393fb51d52cf2664924e82241d88e567ccb6761bf51fd775e30fb35a94cf6fec7783c269655292d198c8db7e9dc4c651cd09ad537f2e30870ff912bbdce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhxywu.exe

Filesize
404KB

MD5
6fb1f572264437b5a3749a559b9355f0

SHA1
96ea9db16ab588a272712860dfc63db063731545

SHA256
69727782a213b999def068ae2e0cc8ecfd85e34c2d1a8149a1ae06bff95de9f2

SHA512
ebceb5730faa2e7e9bcd800233fc796b9f4a05bdf4160fd8f9bcb2c09ca8bda6da47460f07e756187d7e1f8573df4ab9ac74a16423de1b01dcedbb65c444d458

Download Submit
memory/1700-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1700-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1880-37-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/1880-42-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/1880-43-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/2228-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2228-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3552-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3552-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing