urelas | 11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4

General

Target

11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe
Size

335KB
MD5

cf747d9922dedadfabbff197a7bac2ee
SHA1

13415f88d5302eef54c966a0096dea92a9b83c17
SHA256

11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4
SHA512

d7e2d7f9d7d0fede4f2b4e3bfd4697c573e854615bd19d4550ad20919fe40b0e7e767023f9c3efb9b96da9e76542cf5699d3c4f9fd9c0e18ee59498678f8b293
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVV0:vHW138/iXWlK885rKlGSekcj66ciEV0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ugojf.exe

Executes dropped EXE 2 IoCs

pid	Process
3624	ugojf.exe
3864	xuovs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugojf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuovs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe
3864	xuovs.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3624	2988	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	83
PID 2988 wrote to memory of 3624	2988	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	83
PID 2988 wrote to memory of 3624	2988	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	83
PID 2988 wrote to memory of 3996	2988	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	84
PID 2988 wrote to memory of 3996	2988	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	84
PID 2988 wrote to memory of 3996	2988	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	84
PID 3624 wrote to memory of 3864	3624	ugojf.exe	104
PID 3624 wrote to memory of 3864	3624	ugojf.exe	104
PID 3624 wrote to memory of 3864	3624	ugojf.exe	104

C:\Users\Admin\AppData\Local\Temp\11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe
"C:\Users\Admin\AppData\Local\Temp\11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\ugojf.exe
  "C:\Users\Admin\AppData\Local\Temp\ugojf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\xuovs.exe
    "C:\Users\Admin\AppData\Local\Temp\xuovs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3da01ee4e2f23c6f9fd3a06fe05e2327

SHA1
aba2280fdd10853d31ee8cd22a973a01b40e1bf3

SHA256
2b809766d6c5f533d936985d2213e0a02f9a2af356bf512e60b9638916554f9c

SHA512
a371abbcd019a8be54ca4ae0a77f16bbd9466f6a55bb99605f0bd7afa185f0cc153cb79fcd0be91a2272c3d73ea6a30d90c646eb637ea05beb6e326d2c78695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
70a5ef65c4d250ec2c201539b78ada22

SHA1
61c9f2861ce6baf40ccb8195749192eb0572ce01

SHA256
60f516cd8c366287326fa6eb2b80546c791a5c06db59965cc97be2e63fd71198

SHA512
8b7823396679442fabf4f7356819b3a1be750caa548ca17340d8992d332425f6acf01f60048ee68fd4625290e97c635341d415de40328de8b24051294d54d144

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugojf.exe

Filesize
335KB

MD5
e28118acebad770dad4fd8bfe2a2cd70

SHA1
5ea64aaecab9855566f90092b01479aa4a337c4c

SHA256
e753cce2553bd8a4f2bc630d0dcc7504441df92bc4b97738c29d3c7a65fd2084

SHA512
535794d6273847c8d4f0ee738c0483ac19a059438fc76a765033c71c2142e880f2bac2c3e9aaf4af8b34cf7438c4e9b15c2fc98bb0d2ac7262df2f3dc89e0fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuovs.exe

Filesize
172KB

MD5
d9578adbec5841b3d708f5d4d39e216e

SHA1
c4653b850c818fd1098ebe86ab2d1d7a11206ab0

SHA256
4db26ce536d383d5b36f77a2bebac2d11e8cf5bbeb3757f541f98ce505a14002

SHA512
5f84a4be6d375c4e7961607ed27daff217cc52a73fba16e3419650b78b172ce559bb23048a3df5b517a15a6aa3acf63eda691c892c513fb71c421490aba0b14d

Download Submit
memory/2988-1-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2988-0-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/2988-17-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/3624-20-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/3624-10-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/3624-21-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3624-13-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3624-44-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/3864-37-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/3864-42-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/3864-39-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/3864-46-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/3864-47-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing