urelas | 99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a

General

Target

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
Size

620KB
MD5

65d35b2b7a3f133701ff00a1e76afb42
SHA1

ec13f2169dcdfbb314a5310ae662b3581e725ad9
SHA256

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a
SHA512

3de79931df7ce7837ee94333eba2ac58dac762c8dc5b9a04260a829178580c7213a57017a6a1d8fcb2f338db4337d1d6a6ee13bbedaf8d0111a48008ec34cadc
SSDEEP

6144:imbmLppYOuakYGWV5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXWyKvt:ima6idv8zzkGHVqoq/gKW9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exesoloa.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	soloa.exe

Executes dropped EXE 2 IoCs

Processes:

soloa.exerubix.exe

pid	Process
1152	soloa.exe
3376	rubix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exesoloa.execmd.exerubix.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soloa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rubix.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

rubix.exe

pid	Process
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe
3376	rubix.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exesoloa.exe

description	pid	Process	procid_target
PID 4276 wrote to memory of 1152	4276	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	85
PID 4276 wrote to memory of 1152	4276	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	85
PID 4276 wrote to memory of 1152	4276	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	85
PID 4276 wrote to memory of 4452	4276	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	86
PID 4276 wrote to memory of 4452	4276	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	86
PID 4276 wrote to memory of 4452	4276	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	86
PID 1152 wrote to memory of 3376	1152	soloa.exe	95
PID 1152 wrote to memory of 3376	1152	soloa.exe	95
PID 1152 wrote to memory of 3376	1152	soloa.exe	95

C:\Users\Admin\AppData\Local\Temp\99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
"C:\Users\Admin\AppData\Local\Temp\99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\soloa.exe
  "C:\Users\Admin\AppData\Local\Temp\soloa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\rubix.exe
    "C:\Users\Admin\AppData\Local\Temp\rubix.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
856bbb6c21940c7bf810249bb185b531

SHA1
8fa05569b483d0840d96d9cb299c1ba567943bd4

SHA256
dece50b9d42a904b715f2a4a76cc93cd97ec16070be9ce1777c220bc391e38f1

SHA512
64ebd86b032913eea99c4e9ad98c4a835a4d3ef5724904cb742eb070b34e669b741ab26a377433aaaa5989236c2c0ab3e48682655b778c9ab5b3036d3275bf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
585f2d450697ac8e491643279b561f6d

SHA1
4efb24acfd04f319ffd7df34e4c7f29f5adbe1d5

SHA256
05f86736703ff452d0cd6a9f719bbbf9a3d1e0d4e850725c3423eaa260a5f0af

SHA512
7e8e7a8eef57ac95a92b7798d4e9c3a5639e0a0ea0347d0b38db47c387b5e800f307b786fee518c0320f4faf38bb5e05d8bdddb35ede571a07477227206a117e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rubix.exe

Filesize
203KB

MD5
9d48e3e7fe26949ce44a1ac45173cb07

SHA1
580b053dbf84e3af46337f878b95536c9aef9c57

SHA256
9439aa7cca5dfe86e67e6b65f5c48908529eb84dad8fa77b1055d2377be29eb3

SHA512
9aa091c7e10f35c09dc1568241d4386bbdc71c7baece6fc8799d5ddbef5fc8b6f143d1a9cf49486bf4a6993e39d4490fda9a012074fdec1e8cc8ba813a67b459

Download Submit
C:\Users\Admin\AppData\Local\Temp\soloa.exe

Filesize
620KB

MD5
ffc98bda078e9c685614b583875e181b

SHA1
b1bca9fc88c683187e6d295a4076f7301cc8ddd7

SHA256
18cc0f0eea43719d67fcb1ba3592b5f6078702e57e39440afadfb542a9d225f6

SHA512
511a3f9a1eb098c079b7c081caa6d415c9c9fa11325b3b6d1b0ba6f26177612e2add0fda0c3338975b8caed81da12ce0a14929ab2328d4dc860109db7c05217b

Download Submit
memory/1152-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1152-26-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3376-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3376-27-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/3376-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3376-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3376-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4276-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4276-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads