urelas | 3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731

General

Target

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Size

537KB
MD5

d8d3f06c0e9aea69858a74a5fec62a7a
SHA1

7a041b1f9fcd3d3fdd32b16c13d3780022c76be6
SHA256

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731
SHA512

58a0794cb708db9dcd08326efdbf09175f906b03229f0bdd3411059d0d0fd057a2a2a0a4e500375fa0a8d21302fcf96726be4565b92af9e5d240a64f6d1ec3e7
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeajeww.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ajeww.exe

Executes dropped EXE 2 IoCs

Processes:

ajeww.exetucov.exe

pid	Process
1256	ajeww.exe
2592	tucov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetucov.exe3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeajeww.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tucov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajeww.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

tucov.exe

pid	Process
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe
2592	tucov.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeajeww.exe

description	pid	Process	procid_target
PID 4964 wrote to memory of 1256	4964	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	82
PID 4964 wrote to memory of 1256	4964	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	82
PID 4964 wrote to memory of 1256	4964	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	82
PID 4964 wrote to memory of 1716	4964	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	83
PID 4964 wrote to memory of 1716	4964	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	83
PID 4964 wrote to memory of 1716	4964	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	83
PID 1256 wrote to memory of 2592	1256	ajeww.exe	94
PID 1256 wrote to memory of 2592	1256	ajeww.exe	94
PID 1256 wrote to memory of 2592	1256	ajeww.exe	94

C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
"C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\ajeww.exe
  "C:\Users\Admin\AppData\Local\Temp\ajeww.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\tucov.exe
    "C:\Users\Admin\AppData\Local\Temp\tucov.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3647d5e7ac42a51cbda230969692b578

SHA1
69008a4017886dc9dc03e35e270c0b0a6f0d16c3

SHA256
65d2e40876acecbf4845a8918792e6b3c3ec4902bbac03e4a8b491d5e019eb9e

SHA512
4067b6a4667bf14d2f2f097a334d8c8ce25643df177d835c5b9fea64c020a225319a4402e51e5a6607665eddcbe45538bc8f558b3683d3c7675beb8b6059794f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajeww.exe

Filesize
537KB

MD5
adb8a2c9d2ff9060b749405865ff63eb

SHA1
8d924c6fce7e91dcc74f3ec0a27e6e7ad103802f

SHA256
0be4930abcc4297ba92a7a24cb758bebe2a40f43bebb1515005e4ff357c48686

SHA512
c55839a124bac1358b7965ce424dd34534bc09a29a4e9b78d8361ee99e353f84ef639a14b0eec388b90cf854269a8c19f5751f7e2ad50beabf1aeaf96daaeff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d88c7ec268f389d84a98ed997a61b8fc

SHA1
5f6a8deb06273cc67eacf55ae2d4b41ff40985b0

SHA256
7bc9dc85529f627fb5581de081ff59f94cd1caac786596d6247c54ec8031d170

SHA512
42034b98fb1177c3ab18638fc0dfcadb560c177dc5e185492ad77750fb127d77cbbe528129f1c43b60814848f37d9a5271f234ed425a419611ae1a18a19833a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tucov.exe

Filesize
236KB

MD5
8ac6d625c86c1c1260d2d4a53d99e22b

SHA1
3c0bf2bea1c55cf9651889d69e52aba133c941b3

SHA256
ad3b74a2bd87992f001bae9967da20be3f424750c7aa67357d853caa98937c50

SHA512
3ecb784505820e9a6d56f7ebd164b0a11c657560e359e85e91fbfcfd13f69ebbff7add5fa68ead701f7d037f0ff37653ff4c7312813b6fba1e084ef09f081898

Download Submit
memory/1256-11-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1256-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1256-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2592-28-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2592-26-0x0000000000BB0000-0x0000000000C53000-memory.dmp

Filesize
652KB

Download
memory/2592-30-0x0000000000BB0000-0x0000000000C53000-memory.dmp

Filesize
652KB

Download
memory/2592-31-0x0000000000BB0000-0x0000000000C53000-memory.dmp

Filesize
652KB

Download
memory/4964-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4964-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads