urelas | 0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807

General

Target

0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
Size

335KB
MD5

8cb4de3ec7aa600f32bda077dfa76d70
SHA1

a85ae20ee43c62b6db8c32c7409fbb424e5842d6
SHA256

0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807
SHA512

f111e57b24edbe8a93dacb9cc2fae513561b955895517730213d231cc7690817af0d069ded2a5aead25e5d7ab4a041ef20d7a2e31034632cad1350ab848cd6ef
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	dutek.exe

Executes dropped EXE 2 IoCs

pid	Process
3768	dutek.exe
2872	xoqux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dutek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoqux.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe
2872	xoqux.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 3768	4064	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	85
PID 4064 wrote to memory of 3768	4064	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	85
PID 4064 wrote to memory of 3768	4064	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	85
PID 4064 wrote to memory of 4828	4064	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	86
PID 4064 wrote to memory of 4828	4064	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	86
PID 4064 wrote to memory of 4828	4064	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	86
PID 3768 wrote to memory of 2872	3768	dutek.exe	107
PID 3768 wrote to memory of 2872	3768	dutek.exe	107
PID 3768 wrote to memory of 2872	3768	dutek.exe	107

C:\Users\Admin\AppData\Local\Temp\0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
"C:\Users\Admin\AppData\Local\Temp\0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\dutek.exe
  "C:\Users\Admin\AppData\Local\Temp\dutek.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\xoqux.exe
    "C:\Users\Admin\AppData\Local\Temp\xoqux.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8a3655a66124934fe99d94396b7b8feb

SHA1
37b47c752d7432384618d44f6898635a2807e1e2

SHA256
27709208b3da2982a365e2434da68922716686268fd33791b549e7e609c67ca5

SHA512
958dae655b5ea92e143d4e207d712235c8117093b47bb754c26fc4abfaef68273520b54ebb32a66af64de0a26e5b1baa78dcd6a494021edcc472152f0c4ba8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dutek.exe

Filesize
335KB

MD5
ec311ea398ed20ba702eaf31d8a53b94

SHA1
acd8fa927808c06c335f611ce878cd2c98d90e9c

SHA256
bcbf1f3b8222025c1bc4887d15e067e03b10352450a9cb4692c43d9d3dc441f3

SHA512
69ee4fa9d07a895845ebce7aaa61bc1a8ee986ee674d273d521d6ab3182803b9ac2397f32310c367f1c864470cb6ea175629c19507ddc0ed5bffff46f324014d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
32253532179537bc0f166d4770f7b4a6

SHA1
d18a925561a0a600f03f61f6452c3cc59867fe4b

SHA256
f2c30c9ebc5208a1cbb1d377c89b92611ebff7f9a6b5c6efd8df1835969ed478

SHA512
2d0446839ce59aad51be93ba66f1c8007de82485c11ede7b4717b7f4b85ff5d0b3789c47d551a1c1dbe83f0646ae86c5fc4ca976bd11f4e5f04683ae9801a58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoqux.exe

Filesize
172KB

MD5
4574310ee0bb959d1b4adcda9420636c

SHA1
3b704ea119a4becf40f952b029d296bfa76de69f

SHA256
f4368ba508a7a0bab272bafbcde0e31948c40b4510a05449aa73b739b9fe7bba

SHA512
4e939ebd01d908a184ceaa4a7d64d01f25ab1bfb44a5cf8209683a0b89cb4ae83b5d5fad0c36583dd28a9cc0300466b3589e8391caea5fd75a3c305b148353e3

Download Submit
memory/2872-47-0x0000000000AC0000-0x0000000000B59000-memory.dmp

Filesize
612KB

Download
memory/2872-46-0x0000000000AC0000-0x0000000000B59000-memory.dmp

Filesize
612KB

Download
memory/2872-37-0x0000000000AC0000-0x0000000000B59000-memory.dmp

Filesize
612KB

Download
memory/2872-44-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/2872-39-0x0000000000AC0000-0x0000000000B59000-memory.dmp

Filesize
612KB

Download
memory/3768-13-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/3768-21-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3768-20-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/3768-43-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/3768-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/4064-17-0x0000000000090000-0x0000000000111000-memory.dmp

Filesize
516KB

Download
memory/4064-0-0x0000000000090000-0x0000000000111000-memory.dmp

Filesize
516KB

Download
memory/4064-1-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing