urelas | 910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b

General

Target

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Size

692KB
MD5

b53e591f1b41aab36a05fd560ec491ce
SHA1

683d8ce3f61a8b13f2b6803e8060d3708c6a61bd
SHA256

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b
SHA512

e3b9e38b6409080b15bff22a1db0db9e1bc2a1aaee006e755add83b9a32d54d1b4340e423917bef1ae244f08223f2127faabaf65e923173f339783674f4cadc2
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nr0:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnr0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exeehkea.exenogohu.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ehkea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nogohu.exe

Executes dropped EXE 3 IoCs

Processes:

ehkea.exenogohu.exegiveu.exe

pid	Process
4356	ehkea.exe
3984	nogohu.exe
4492	giveu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

giveu.execmd.exe910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exeehkea.execmd.exenogohu.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giveu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ehkea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nogohu.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

giveu.exe

pid	Process
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe
4492	giveu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exeehkea.exenogohu.exe

description	pid	Process	procid_target
PID 3204 wrote to memory of 4356	3204	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	83
PID 3204 wrote to memory of 4356	3204	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	83
PID 3204 wrote to memory of 4356	3204	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	83
PID 3204 wrote to memory of 2304	3204	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	84
PID 3204 wrote to memory of 2304	3204	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	84
PID 3204 wrote to memory of 2304	3204	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	84
PID 4356 wrote to memory of 3984	4356	ehkea.exe	86
PID 4356 wrote to memory of 3984	4356	ehkea.exe	86
PID 4356 wrote to memory of 3984	4356	ehkea.exe	86
PID 3984 wrote to memory of 4492	3984	nogohu.exe	103
PID 3984 wrote to memory of 4492	3984	nogohu.exe	103
PID 3984 wrote to memory of 4492	3984	nogohu.exe	103
PID 3984 wrote to memory of 3564	3984	nogohu.exe	104
PID 3984 wrote to memory of 3564	3984	nogohu.exe	104
PID 3984 wrote to memory of 3564	3984	nogohu.exe	104

C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
"C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\ehkea.exe
  "C:\Users\Admin\AppData\Local\Temp\ehkea.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\nogohu.exe
    "C:\Users\Admin\AppData\Local\Temp\nogohu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\giveu.exe
      "C:\Users\Admin\AppData\Local\Temp\giveu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
723c83cfffb7a31aa1c38457b1c18abf

SHA1
82afadd5b93b523629e7bcc67e35530d1941446c

SHA256
2dc1b15081af3bd8b3aeb69a1696185b329cbdf0fe94fba7193a55ad47d36a22

SHA512
aac2358230471783c42aeeed0cbac2a097732d0b13a798cb83ed73e1f69d3abc8fba4fcb0e69d53b3b3e442ff167cfbdc50704b93b93460613c227f7813d9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
fc0c687e429f4e6ce0ff0707d753537c

SHA1
4db0d027fb00de586a8b9205fd36b81606f72d72

SHA256
417eda1fe2c91f5595bf8898777a7efdfe37dea6844397af6a2c9a19f4396292

SHA512
ab460c48858fe0428923f0a696a36b12cd39a012e0e8d9ae97798a4ae5f1b601f1e982f48deac62eaf2f0a20f9d658b8e5ad68d0ba1a6ec72bce6ad12bb3cfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehkea.exe

Filesize
692KB

MD5
c5839acf121c2185ebdf1d9c2d144844

SHA1
cac05c49456c6a77995361f59451d32ccd7c2f03

SHA256
30b91f5bd827bfe71ae0141c1e67f1ed48fc79547f191201b60264dba5233ea3

SHA512
14a3e27b18301e0f5497568ba391129820350ccfb1b0c4e1ac64aec4cee4eb03ad4e714ee9faaeee4531ab866ddf5bf04301cb9d11bbe025435e6408ac1fdebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\giveu.exe

Filesize
469KB

MD5
088e2d89bb861513b29b30a0be3341f6

SHA1
46ad71e826c4abc31cfe39367534a6f1f1aa25d3

SHA256
709f6a38976fdcafaa3c4b5b6de4d83779845a38a8f291e2829cd349c5ae0ea3

SHA512
1ea0e2342e10c4f1b6219a124761ce27a4aff73315dca32fc4e5225c1efa4b59686c1beb2c632b4673e2f0ab578ccd486d0d60ca09ee2cd8db91d09836ca23e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0633b21ece9f700c342f822b86c248f3

SHA1
537645c8e3d9732ac250895a9c933644fd1aebf3

SHA256
a055c1cfefa8d47cbb394e65f5f176b596b6b28a15b53e56b3248da5eb089212

SHA512
700dffff53aeb54c7d833ca8ca4b692abb95914442d515c6528c7616a011b3ff74645bc8cdfe1322298a1ed7f9087e341950bdae13cc17ea38046d9f561ce389

Download Submit
memory/3204-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3204-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3984-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3984-39-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4356-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4492-37-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4492-42-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads