urelas | 707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c

General

Target

707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
Size

448KB
MD5

7b19391fe95e7ca39f825f9a97524f99
SHA1

c2a97e3c170d4860dbe274f387382e566763652b
SHA256

707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c
SHA512

1f812cf3f6740ff8b2bc04553c55749c0ac2a0ff61cccca4d48cc995abeac64286d945386c10fe82bea2745898ac9c1ce3581841ff016eb19a117c0d2d2c3856
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoZ8:PMpASIcWYx2U6hAJQn6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	oznur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	kiwuxu.exe

Executes dropped EXE 3 IoCs

pid	Process
3280	oznur.exe
5076	kiwuxu.exe
4384	liwon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oznur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwuxu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liwon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe
4384	liwon.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3280	4640	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	83
PID 4640 wrote to memory of 3280	4640	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	83
PID 4640 wrote to memory of 3280	4640	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	83
PID 4640 wrote to memory of 3544	4640	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	84
PID 4640 wrote to memory of 3544	4640	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	84
PID 4640 wrote to memory of 3544	4640	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	84
PID 3280 wrote to memory of 5076	3280	oznur.exe	86
PID 3280 wrote to memory of 5076	3280	oznur.exe	86
PID 3280 wrote to memory of 5076	3280	oznur.exe	86
PID 5076 wrote to memory of 4384	5076	kiwuxu.exe	104
PID 5076 wrote to memory of 4384	5076	kiwuxu.exe	104
PID 5076 wrote to memory of 4384	5076	kiwuxu.exe	104
PID 5076 wrote to memory of 4804	5076	kiwuxu.exe	105
PID 5076 wrote to memory of 4804	5076	kiwuxu.exe	105
PID 5076 wrote to memory of 4804	5076	kiwuxu.exe	105

C:\Users\Admin\AppData\Local\Temp\707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
"C:\Users\Admin\AppData\Local\Temp\707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\oznur.exe
  "C:\Users\Admin\AppData\Local\Temp\oznur.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\kiwuxu.exe
    "C:\Users\Admin\AppData\Local\Temp\kiwuxu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\liwon.exe
      "C:\Users\Admin\AppData\Local\Temp\liwon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2e7260fb295aac3ed7a5e46c32a767ad

SHA1
85e04393f896cdc50969afff14ae5e35f9a565a7

SHA256
b502ac72ebbcf0fc6936b498ac177be6e74d00c3fab81698e9fd956446c71fae

SHA512
f687c42ad4fa103032a8b439bce41de33b16517b96fb7d06a30ab8443b7a1f11f0ce7508cd1aa8d6e130929a8c2816a2dd78e3d5da4c3fadeb99f8baec5460b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
928c0cf5eede886446f72d1b2d07a5c6

SHA1
81d5ce723c6ad48231aaaf51ac8a41b025c4df0d

SHA256
ed787ceb80f71089055bbdff267277c0f054364d6f319d0c80581c369eef24aa

SHA512
5311cf9c9e5e12540afa0ade076f7a793d19816d2d0b4b90dd919b9fed672b2d23de0b9292160ad98982f18e9eb9a0caeb40e36c97e8175aa3ea19f347168a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ffb9dbc9e83dee765bb1568be6da2bf

SHA1
c51f5b41098ddfffa37d6dfb285732f53f743361

SHA256
3afc884230f24f8bfe61af3a028cfa9fa4c4777126b916ae0c2797c5ba70896d

SHA512
2e2f005f974e5202f74dea81312b318e6987973e17f5b22929e9dcd6a27552479972f8e3406699ce475ca7d2f059dbd54cabc501087696e0e9de74f3cf5cd270

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiwuxu.exe

Filesize
448KB

MD5
55b8fd924e65e4b8e4c4e6daa01d0d41

SHA1
4bc34c260fe9acbb5fafb7ccba82505d8ced7c6b

SHA256
dcd7c989056437236979bc4ba119ce70b6c5313cc325985e9d0898e01055cbff

SHA512
179c5e72a0166992577f3ca0b5686740601eb097cc196f6e9bea78d3e3dccd007766820108c0e6c1354263bab342e34b23d254c9d804c806f697976b87136a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwon.exe

Filesize
223KB

MD5
32b2147d661fecdbf3b23fb451127dc7

SHA1
aabf5964162e7860cd21d038004b383f5298e527

SHA256
63b745700e1c727f0ff4aea6d4e34471467a9e815f6cc9b37de2b847a3fc647d

SHA512
af3bf1c748e7fd59dc797641080e32ad7e0b3067a41ca77add687c1e6a345aed7c04135703b1d8fea69579bf6629176c71d00d9d79b5d0fba21bda6f6eb23f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oznur.exe

Filesize
448KB

MD5
24f807c5f6c9092decbc3154c1b7f72b

SHA1
d17a785ec29749a813ff86f1210494d879dad98b

SHA256
379e83beadfad52b97b9ee3c1fdd9b45b0424c3adcae3502e14d8e6594915365

SHA512
23b8d27b6604f1d80de51de47085c82c802bef3128bf13a26fcb79fced4301d58d9791a06d60119cab32506c8c031fb51c658d85f2f7876fd6966ef25cadc0de

Download Submit
memory/3280-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4384-37-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/4384-41-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/4384-42-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/4640-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4640-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5076-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5076-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing