urelas | 6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917

General

Target

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe
Size

537KB
MD5

19da4be68c766a22e7e2a3bbbd408176
SHA1

f7c6da09241d7b456a90a605e992d2b9ee8ce809
SHA256

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917
SHA512

0191cc54def6eab7f2d0afd80cf4706bde7e3c28ead0e5c4ad764e27b44954565e8809419f02d6b6c65e1d29afbbd2c832269801f57faefcbd79db5f1206ae8b
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPt:q0P/k4lb2wKatt

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exebowuw.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bowuw.exe

Executes dropped EXE 2 IoCs

Processes:

bowuw.exeqohuy.exe

pid	Process
1772	bowuw.exe
3012	qohuy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exebowuw.execmd.exeqohuy.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bowuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qohuy.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

qohuy.exe

pid	Process
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe
3012	qohuy.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exebowuw.exe

description	pid	Process	procid_target
PID 1608 wrote to memory of 1772	1608	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	83
PID 1608 wrote to memory of 1772	1608	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	83
PID 1608 wrote to memory of 1772	1608	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	83
PID 1608 wrote to memory of 220	1608	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	84
PID 1608 wrote to memory of 220	1608	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	84
PID 1608 wrote to memory of 220	1608	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	84
PID 1772 wrote to memory of 3012	1772	bowuw.exe	101
PID 1772 wrote to memory of 3012	1772	bowuw.exe	101
PID 1772 wrote to memory of 3012	1772	bowuw.exe	101

C:\Users\Admin\AppData\Local\Temp\6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe
"C:\Users\Admin\AppData\Local\Temp\6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\bowuw.exe
  "C:\Users\Admin\AppData\Local\Temp\bowuw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\qohuy.exe
    "C:\Users\Admin\AppData\Local\Temp\qohuy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7344ad83ddb78044aa86aedb03cbbcba

SHA1
5bdd6d2bcf153c607408f54fc3cae4a60faea231

SHA256
8f5df0c8bfc4473ecf7718d4784bdd7c5e1c47b9803779781f49a877bfe5b683

SHA512
2c73fa30e537a12dd1287a347a9b8dc0862aab4876400f3a55c48a2438992d1e370ed866d0211c768e8fbdc2b0e63ed1c02129324200eda7457b4070fd336d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bowuw.exe

Filesize
537KB

MD5
9912b4bf58b6064ae6758a395da1fa62

SHA1
8b564cee6c0bc6a7ff8f2756c5b6d15a5ce02ca6

SHA256
7657ca25b877430c47d1326e16a21a1cc0981254a41eb5d89953c03ce749e327

SHA512
f5bed49c2ce4b45e5f347a66b18b4817bd44847d6fba728f4157529db04b49ec18f05437a6e6cb4d1937725aa13fc36a3ad9ac63ddafee2f2d4b34b083c201ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
001d658008b159c750f6536e468451c0

SHA1
95ce74699754fc0d85a718133190108b7dd1cafa

SHA256
106a9042dc4290e27a00dfbeede2dfcedfbbf720f85dd10aebdb9e7c9e839c9b

SHA512
7737f9b540264491bd7af7322e340196e996e47b524d5b403ec3fe59893e2e5850802f9abe52bf9f89688ce62e4e08adc978414880e04d78e0420fe7c9ea5078

Download Submit
C:\Users\Admin\AppData\Local\Temp\qohuy.exe

Filesize
236KB

MD5
6b875344bb8cb25528280946fc08d04c

SHA1
eadd84f5d4bbf427f7173c8e079e31b954432634

SHA256
e9c23fe3aea38b3c21e5cf238737ca3d18ed698e2bd07fdac9ad2490c96c2bb0

SHA512
541a3266029754f085b0d0c36d15b213d19da0b01d6d1a9be29f3507c6698cc498f76c60011f2656791f984d42a0208abbd00e612b516049756c5ff6cc63eeaf

Download Submit
memory/1608-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1608-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1772-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1772-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3012-25-0x00000000003E0000-0x0000000000483000-memory.dmp

Filesize
652KB

Download
memory/3012-27-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3012-29-0x00000000003E0000-0x0000000000483000-memory.dmp

Filesize
652KB

Download
memory/3012-30-0x00000000003E0000-0x0000000000483000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads