urelas | 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5

General

Target

5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
Size

334KB
MD5

aae5733bb4ed466d348eb25664f48520
SHA1

94bb4c32f47fd90713f29669a96446d2d09a31db
SHA256

5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5
SHA512

8c7372c3a0f08727c2a5600ae1f4f8384a6c0348c0e6702992ef722791f5808a046b243e6ea8f7528b93f45aab9b1eca5b5bca6b382ff49d5170f2c3afbacf62
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOcF:vHW138/iXWlK885rKlGSekcj66cin

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ridop.exe

Executes dropped EXE 2 IoCs

pid	Process
316	ridop.exe
1880	duzoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ridop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duzoz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe
1880	duzoz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 316	3124	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	82
PID 3124 wrote to memory of 316	3124	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	82
PID 3124 wrote to memory of 316	3124	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	82
PID 3124 wrote to memory of 4904	3124	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	83
PID 3124 wrote to memory of 4904	3124	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	83
PID 3124 wrote to memory of 4904	3124	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	83
PID 316 wrote to memory of 1880	316	ridop.exe	94
PID 316 wrote to memory of 1880	316	ridop.exe	94
PID 316 wrote to memory of 1880	316	ridop.exe	94

C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
"C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\ridop.exe
  "C:\Users\Admin\AppData\Local\Temp\ridop.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\duzoz.exe
    "C:\Users\Admin\AppData\Local\Temp\duzoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6cc0a0f85e04a320a865639a8416b503

SHA1
856723f3b651c5aa3eae579152a689133656723c

SHA256
104a99d9ac9258a2b7dccb5bb28a849cc22743fa370169e327626227afec2555

SHA512
7cd76b3422bfcd0dea7f5e821192e40000d5efda8a3d584e59a12a7f7e0b2b666553f4e2e394803621d36f2e4279056171badeb2568af4358ada1c3f2151b7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\duzoz.exe

Filesize
172KB

MD5
64e044611499ebe0e2584526bc7d15cb

SHA1
ffef87e2fed5d9982cd7dd4ca507f16023c0941e

SHA256
91745f1863484c6973814bf8bf5808f48a57fd44e9d914dc0de934ddebd8a35d

SHA512
0dac1f2c3b9a6b38bb23f3c1efffcc556efcec3a71bdf7fa56c7b9cdf749e25e2bc490273b8b8c10bf791dbdbf8e8eb5b5558027f869879f956808c371d2dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9d1713aac733e94b46da029077ed72e2

SHA1
5258889cd68c8cfd2e1b1fd402da84b84124f9cd

SHA256
0dc2bbeacdedfbd1e8b950c15bb8fd84ab0b58deccd857cdfd6d92811d083670

SHA512
c65f6294c212b171f60516a67d1bfaf332fb637797ebbe4f25f9b8d752dfecd41be75228b207908298d30bb4ef579ad75773f8ae298e336a21b784f0874989b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ridop.exe

Filesize
334KB

MD5
7ae9710bad7b04f098e5223483da24bf

SHA1
89567e6046891e7c8c14f25dee612455c972749d

SHA256
31205a2c66b39989dd0e8a198e76f2de7c2b8713af583de829b459aae31c1c8a

SHA512
3f1b22fd4c4879b1a0d22a530b82d2e0acc3f32caef689a7b97838dd36e0760fe04d1c93ab8308a395eaffedb5b9dc0cac436b28fc928e46c3ef4c8ffa7b5554

Download Submit
memory/316-20-0x00000000007F0000-0x0000000000871000-memory.dmp

Filesize
516KB

Download
memory/316-21-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/316-13-0x00000000007F0000-0x0000000000871000-memory.dmp

Filesize
516KB

Download
memory/316-14-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/316-44-0x00000000007F0000-0x0000000000871000-memory.dmp

Filesize
516KB

Download
memory/1880-38-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/1880-40-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/1880-39-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download
memory/1880-47-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download
memory/1880-46-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/1880-48-0x0000000000110000-0x00000000001A9000-memory.dmp

Filesize
612KB

Download
memory/3124-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3124-0-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/3124-17-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing