urelas | b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947

General

Target

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
Size

546KB
MD5

b3b4c5ef066d864835569193e4962ae0
SHA1

195006e7f4633c904ae7a39b4ac04416ff20ea34
SHA256

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947
SHA512

7ebd44fd19ba04d7ff935e2e5a37800cdc3126d87d0e32240ed9e04220ec87f00b7cbb6bfe590d4475f3c5d8b17f9475955362b2aba82b0fcefc529860da6f69
SSDEEP

6144:u2Kw7lwFXUEeJi2xVCVxfwY+0QSyvmZ3INALzT1uj65CT1i6iSyYQM0JiS83G48q:u+GtVfjTQSaoINAHT1VQ1i3SyQEW85gT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.execezef.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cezef.exe

Executes dropped EXE 2 IoCs

Processes:

cezef.exeelgev.exe

pid	Process
4796	cezef.exe
2164	elgev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1056	2164	WerFault.exe	103
1524	2164	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeelgev.exeb585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.execezef.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elgev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cezef.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.execezef.exe

description	pid	Process	procid_target
PID 4376 wrote to memory of 4796	4376	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	83
PID 4376 wrote to memory of 4796	4376	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	83
PID 4376 wrote to memory of 4796	4376	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	83
PID 4376 wrote to memory of 1076	4376	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	84
PID 4376 wrote to memory of 1076	4376	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	84
PID 4376 wrote to memory of 1076	4376	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	84
PID 4796 wrote to memory of 2164	4796	cezef.exe	103
PID 4796 wrote to memory of 2164	4796	cezef.exe	103
PID 4796 wrote to memory of 2164	4796	cezef.exe	103

C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
"C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\cezef.exe
  "C:\Users\Admin\AppData\Local\Temp\cezef.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\elgev.exe
    "C:\Users\Admin\AppData\Local\Temp\elgev.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 216
      4⤵
      Program crash
      PID:1056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 260
      4⤵
      Program crash
      PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2164 -ip 2164
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2164 -ip 2164
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
dd7c8785f51046f83436243e0a873117

SHA1
c3e08b6fccf9cfec64a010daeb9e96c814dd01e2

SHA256
d9c0d798502cc36ff171743b250f65082e9e23e939b48006c5478e3ff362a5c8

SHA512
f8a80c63ad526eae7f0424db2439a88901f2aa8bfbcdf4a06bff4ff56c6dafcdaaf12a1524dee5d2885fd6b39f0ea2096789c4455cefc9e212e6833eb112dfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cezef.exe

Filesize
546KB

MD5
54cebf647ad2ea7ad90eca810a389429

SHA1
a726164a9c7b1aed41b3fcb00dcaedb6fd3acf4d

SHA256
315a1679961436104100763988dd854635b784d0ffe16684e3f5f1708a24268d

SHA512
8ac0b7a0e0847db09da01da85a2f2aa63ab9019e8ebef0ba36542f808babfed95c7c369cceb1ba460e543b4b52b4c2e47ba518daf9602a0b09634bfb8e38a7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\elgev.exe

Filesize
231KB

MD5
98054a39c2913101379df9623acfe252

SHA1
ac9c1e568ce07840ee5c6309d17c9fb0892e6747

SHA256
501d535d8d0a8cedfc1c17887925d2111619b4a682825769f8f4a27d282d7f7a

SHA512
84cd3e6cac897e67719f4b5af3a473cbd333f815ca874b354cf3d9d9556f83335b116cdf1aab33422eefd92e70aa4d118d1cfeabc79a9fb1449a238bd733b7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
79c494ecddc9cf5faccb4855aa965548

SHA1
3551b7cd42b33a83272c1fea3bda2f2ecf017410

SHA256
db3b4e2c71e2f6ba47d78e37a1c19ac2094c5255f058dc5627e1e3ae8cbfa935

SHA512
456bc0c9ad67636634294ab58de17fe186ca989356c60873f43394b1b3dd719fd12732da63e527d9f87024b68380ae33939734223771ab00305c407197146ea4

Download Submit
memory/2164-26-0x0000000000210000-0x00000000002C3000-memory.dmp

Filesize
716KB

Download
memory/4376-0-0x0000000000530000-0x00000000005BF000-memory.dmp

Filesize
572KB

Download
memory/4376-14-0x0000000000530000-0x00000000005BF000-memory.dmp

Filesize
572KB

Download
memory/4796-10-0x0000000000C80000-0x0000000000D0F000-memory.dmp

Filesize
572KB

Download
memory/4796-17-0x0000000000C80000-0x0000000000D0F000-memory.dmp

Filesize
572KB

Download
memory/4796-27-0x0000000000C80000-0x0000000000D0F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads