urelas | 558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4

General

Target

558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe
Size

441KB
MD5

843997ebd749579ffd00b2a9fe6284de
SHA1

a7443e907bf47fb2b4b16f84ae9235ae90d73ff7
SHA256

558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4
SHA512

437db5146230455e04798bb2e2c87ed8313880d03450e766450b4508beb12aee63d290d67e0f3d65e8fd9ee04618fbe1a1b1cbff91011891d388a5777ab2e093
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjg:oMpASIcWYx2U6hAJQnn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xotyk.exehuraji.exe558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	xotyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	huraji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe

Executes dropped EXE 3 IoCs

Processes:

xotyk.exehuraji.exepikuj.exe

pid	Process
2280	xotyk.exe
3636	huraji.exe
372	pikuj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exexotyk.execmd.exehuraji.exepikuj.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xotyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huraji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pikuj.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

pikuj.exe

pid	Process
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe
372	pikuj.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exexotyk.exehuraji.exe

description	pid	Process	procid_target
PID 1080 wrote to memory of 2280	1080	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	83
PID 1080 wrote to memory of 2280	1080	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	83
PID 1080 wrote to memory of 2280	1080	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	83
PID 1080 wrote to memory of 3836	1080	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	84
PID 1080 wrote to memory of 3836	1080	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	84
PID 1080 wrote to memory of 3836	1080	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	84
PID 2280 wrote to memory of 3636	2280	xotyk.exe	86
PID 2280 wrote to memory of 3636	2280	xotyk.exe	86
PID 2280 wrote to memory of 3636	2280	xotyk.exe	86
PID 3636 wrote to memory of 372	3636	huraji.exe	96
PID 3636 wrote to memory of 372	3636	huraji.exe	96
PID 3636 wrote to memory of 372	3636	huraji.exe	96
PID 3636 wrote to memory of 1140	3636	huraji.exe	97
PID 3636 wrote to memory of 1140	3636	huraji.exe	97
PID 3636 wrote to memory of 1140	3636	huraji.exe	97

C:\Users\Admin\AppData\Local\Temp\558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe
"C:\Users\Admin\AppData\Local\Temp\558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\xotyk.exe
  "C:\Users\Admin\AppData\Local\Temp\xotyk.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\huraji.exe
    "C:\Users\Admin\AppData\Local\Temp\huraji.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\pikuj.exe
      "C:\Users\Admin\AppData\Local\Temp\pikuj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6c4ccedff7025e1d4c5cc77fb3319d41

SHA1
e7495f061551e6c9560c33ea3f42aaeecb62e30e

SHA256
1ac32d287312bc6f166e7695299464e1a4374652dd44a7a2d7761a95d78ce1ee

SHA512
c73ef41139995924cf4a85d8ade77379763e9872eaf8ac60a78995e304850b0b2ace10e584a9cf3acc778be66ce9ae6d8495b1376918c9e6ec04f0782419947e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
e7aec06f39179b83c3a8a5baff53c372

SHA1
2b77ac89422753a0618451ff610ca0f1a77d7fbe

SHA256
b7f0e8fec4c3a87ee80812323c8b41a84d17c7cf89b1b025ad2fb8024049f4bc

SHA512
d58df9c794e0c691faea4e7a615aac806859faf8a1289a61019469a04438a4e5c3bb100239de2434985ae7e91c737d482e11dcbb48b57fbd2fb32865035a4c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f337bd56796d6139cc4445fa0502dc7a

SHA1
0d6e6898e63a5d18c11cc8e9a10629e1c6e255df

SHA256
6b30393a44152e1ebab5c4deb23977a9356c0d85a2fcf9ce9430d46be0bfae77

SHA512
232a28b5145438c788c4ec26b758f51bbc5c8e9e296a6d2cb7022b9653845b0b53b36ca9752245c4d3f66ee271da340fc849ffe419cc7ac3d2f727047d33f32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\huraji.exe

Filesize
441KB

MD5
8208ce39122d9a6ec79d82fd900109db

SHA1
721837fca33e5e80e1bcf2f3779de722e53d922a

SHA256
2ea7222548f72a660c1614ca3b83ac56123e9a8ea0e241303f377d6e13a4479b

SHA512
9c6b75d0d758d27488a8f044972c2255a43a01773abc4d3a692a66ed490abc807bd978994cc71fa92efc27b6d73990da686988e547227802d0fa88d8b6684a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\pikuj.exe

Filesize
223KB

MD5
c237895ddaceb3e4dbd518f84663b200

SHA1
0b0331a64a0b3d71a84b9ac4948e2507bb239bb1

SHA256
3e7bb083db5877559473e9f8b28cef8fe3da42f030138665831a49b623c3d8e5

SHA512
5499ec09d1e534f57188f732adc182a750ff8e613e43155660def196c491729d0e11a09ab5f2f9421a4075955f631ac1e87e8b696b9c4a739e3a5722a4e21dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xotyk.exe

Filesize
441KB

MD5
3720965ba9b02b15469fe34aea4ffa60

SHA1
52c295330c87ab3c0d7fe61e5ebaea601ba73a11

SHA256
07d9950ac3fbe607ddb52538f43314cf3997f3c0bd55513bfdbe187c60837350

SHA512
474828918ae03d0ed8e00f29d133f9eb718245b1c796b50eccb3ed380f689569c8bb5c8c82fb8c3bda2f51a81547fb6ebd783391126a95fe3d489b4beaddb2b0

Download Submit
memory/372-36-0x00000000003F0000-0x0000000000490000-memory.dmp

Filesize
640KB

Download
memory/372-42-0x00000000003F0000-0x0000000000490000-memory.dmp

Filesize
640KB

Download
memory/372-41-0x00000000003F0000-0x0000000000490000-memory.dmp

Filesize
640KB

Download
memory/1080-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1080-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2280-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3636-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3636-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads