urelas | 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589

General

Target

604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
Size

333KB
MD5

2cc1c91da4b72fd5328644f18b3514a0
SHA1

1a8d4ebd5eff3bfd7df53a62ee8fee648589843b
SHA256

604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589
SHA512

122440ace5368f4b9a912998a1cb62b6d0b26a487aee1f4ec89b8eeeb4d3dfa84bdf003405c926e3737e745f89d77ecb49b6ee1362861d24dde021df982083df
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ci3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	kukoe.exe

Executes dropped EXE 2 IoCs

pid	Process
4288	kukoe.exe
4768	ashoa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ashoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukoe.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe
4768	ashoa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4288	5056	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	83
PID 5056 wrote to memory of 4288	5056	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	83
PID 5056 wrote to memory of 4288	5056	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	83
PID 5056 wrote to memory of 3624	5056	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	84
PID 5056 wrote to memory of 3624	5056	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	84
PID 5056 wrote to memory of 3624	5056	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	84
PID 4288 wrote to memory of 4768	4288	kukoe.exe	104
PID 4288 wrote to memory of 4768	4288	kukoe.exe	104
PID 4288 wrote to memory of 4768	4288	kukoe.exe	104

C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
"C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\kukoe.exe
  "C:\Users\Admin\AppData\Local\Temp\kukoe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\ashoa.exe
    "C:\Users\Admin\AppData\Local\Temp\ashoa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ceb84504f175f405c77ff6588a2d2592

SHA1
7b63056cd33b6b5c40ccdfea828d20a962fc9113

SHA256
a81ff24fbda9d44d5721e0cc33a6cfa85c716e4459a05f41cd6416e1ebd67f9c

SHA512
9c10a0dd7c90fd78eb47a4c949dcabacdf097eabf231a65db365547456ef26d37b1be80d51b75c5f45ee56cc089d2e433d4ea6fee16c524b4202458467e36d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ashoa.exe

Filesize
172KB

MD5
1e411be92a6edd5a68d800b4509dc31b

SHA1
32a5cf33c80702cbf74ebddfeaad61b4bb39315b

SHA256
6a4466aaec2679bd8514e3dd0a3a96a9c21eeb5c7f65245160583f75dd25859c

SHA512
aa633d95a7a1e9564a213ed8268db3c39805cc85b11fbfa666c279cfe2f176c11ca4b7ca3514028c42a582f1126919d7e4b5fde9d8f76dfd7a712b5f1644a163

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2d6150e36173de1920d2fdef419328bd

SHA1
597a8ee46978e8944175bdfa848244372f0a2af2

SHA256
75946467dc4a0a6b78289be3172051570791eea86a3e10e3a16fcf666e67251c

SHA512
0f6cdc2c6305d33aaeb8387bc8746c2eed09728829471bb5a0727f79bfb701b0dbcdaebf15ba3d8e0785dbd0760fb2610754899ca147ca37aa5a08ae275b63fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukoe.exe

Filesize
334KB

MD5
0a5fbb41e243985ac3bbe0a09f8ae8fa

SHA1
95a25f8a2400b0e5c82a815d3cf4ab8ccbb26b4a

SHA256
b4c9bd63bfb706bc373b3c5a6b92a659846cbd27403f0243fe2e4309bba84a11

SHA512
66de9b5791f07a4f2b1cd0226ad283fc8ef7937561e980982172066e5ee63d31d944e702d6de9585577e35d511b237f7b53a0640b5d99c886de0055c29ab72e4

Download Submit
memory/4288-20-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/4288-21-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4288-11-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/4288-14-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4288-39-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/4768-43-0x00000000006D0000-0x0000000000769000-memory.dmp

Filesize
612KB

Download
memory/4768-41-0x00000000006D0000-0x0000000000769000-memory.dmp

Filesize
612KB

Download
memory/4768-40-0x0000000000C00000-0x0000000000C02000-memory.dmp

Filesize
8KB

Download
memory/4768-46-0x0000000000C00000-0x0000000000C02000-memory.dmp

Filesize
8KB

Download
memory/4768-47-0x00000000006D0000-0x0000000000769000-memory.dmp

Filesize
612KB

Download
memory/4768-48-0x00000000006D0000-0x0000000000769000-memory.dmp

Filesize
612KB

Download
memory/5056-1-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/5056-0-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/5056-17-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing