urelas | fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69

General

Target

fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
Size

335KB
MD5

714315fad3e335b5c939b4a8e0b2fcd0
SHA1

7bdfff1f79148b07533a1cb44297ca9f7b61baca
SHA256

fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69
SHA512

70dbaa0e86243871e9872fdefa6d7d1b49777ebee96316812b40f9c53b0cb32278be6501a4f8729734c04e243ad726f08283f6ee59970dfdeee4307942eff86f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIQ:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	waejy.exe

Executes dropped EXE 2 IoCs

pid	Process
4340	waejy.exe
3012	olwiq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waejy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olwiq.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe
3012	olwiq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4340	4264	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	82
PID 4264 wrote to memory of 4340	4264	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	82
PID 4264 wrote to memory of 4340	4264	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	82
PID 4264 wrote to memory of 4732	4264	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	83
PID 4264 wrote to memory of 4732	4264	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	83
PID 4264 wrote to memory of 4732	4264	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	83
PID 4340 wrote to memory of 3012	4340	waejy.exe	102
PID 4340 wrote to memory of 3012	4340	waejy.exe	102
PID 4340 wrote to memory of 3012	4340	waejy.exe	102

C:\Users\Admin\AppData\Local\Temp\fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
"C:\Users\Admin\AppData\Local\Temp\fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\waejy.exe
  "C:\Users\Admin\AppData\Local\Temp\waejy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\olwiq.exe
    "C:\Users\Admin\AppData\Local\Temp\olwiq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
1884aed314a1b1d92aabe4ca9abd3232

SHA1
45f21b5d7099a1795f0e6f91b322b45e33a9254b

SHA256
4d6d01a4f1d837e820add08398950d383dffbfc15a729520bca482aa2b7b436a

SHA512
d67087f32b0fa3a8d756139a678841ea9e4d2c35e115bc9cfc7cf15137cbb411f7e5b93aaea5597e43ee6773ac7b940d6aaad5d2bb942889a99e415ce2a8a457

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a6c16843368ba7cec20f76c203b40320

SHA1
0e36f4e080a4915446ce603e9770f240234b859b

SHA256
f6211fbf77f6c5a0ca6acd572935abd2eca121ccd80d12fe40b6ae22781a1463

SHA512
9243aceb3c83a9fe2247c70920fdd8e4bff9202b6e7017acb4408c2fce679eb22f9a55df13512600cb5f556ba50f655598cdf61fd95319739bb705f31ba6a31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\olwiq.exe

Filesize
172KB

MD5
d1547ea621e84dfb611916033e644338

SHA1
2a6ab7f85651a060157d4848e17c4b8dd9c79a3b

SHA256
ddfc518a5fedc90917fd28d94055d78d003c1f7594af0573664c05701de5f69c

SHA512
019b80d956c54229b9c683662e724fdd11a4800caadbafd754b9c2f92a263a024e5f114e8a499f2f617bcff46557d8465fe1f0575ad6cd60379beecce1c48550

Download Submit
C:\Users\Admin\AppData\Local\Temp\waejy.exe

Filesize
335KB

MD5
9e2c43e9a3f0ea851097140db9d12519

SHA1
64dd484cca85fdb4324e7843a2f905ea37fad9e2

SHA256
efb09564a1372aac051a77d60b5ab50cda2a05ce5f5dd48ffba3d4249a530d6c

SHA512
1625656b7cd5f6a7eb55cdaaf7f2355410406e41593a763b73b86f2f9e00787fe8cb815769582aad893d353895cb8f05af5ebcbe180f40f9d574cc42ffbeee11

Download Submit
memory/3012-47-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/3012-46-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/3012-45-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/3012-36-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/3012-40-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/3012-43-0x0000000000520000-0x00000000005B9000-memory.dmp

Filesize
612KB

Download
memory/4264-0-0x0000000000690000-0x0000000000711000-memory.dmp

Filesize
516KB

Download
memory/4264-17-0x0000000000690000-0x0000000000711000-memory.dmp

Filesize
516KB

Download
memory/4264-1-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4340-15-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4340-39-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/4340-20-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/4340-11-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing