urelas | 44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989

General

Target

44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
Size

338KB
MD5

b3fb6f09ebec35e48c26bf051c0223d0
SHA1

237c8b112c29eca3214ef00b48cb6e2d939a5682
SHA256

44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989
SHA512

f7bcab1432f8367095d9047df0055629233e80b8710c0bc1120535e9d679f46f099c02cfb4877f33fcf062976ff888519388acf8a22c85d53e40b49d8daeee38
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOTf:vHW138/iXWlK885rKlGSekcj66cic

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	quxon.exe

Executes dropped EXE 2 IoCs

pid	Process
2244	quxon.exe
3148	cozui.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quxon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cozui.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe
3148	cozui.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2244	4304	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	82
PID 4304 wrote to memory of 2244	4304	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	82
PID 4304 wrote to memory of 2244	4304	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	82
PID 4304 wrote to memory of 5116	4304	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	83
PID 4304 wrote to memory of 5116	4304	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	83
PID 4304 wrote to memory of 5116	4304	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	83
PID 2244 wrote to memory of 3148	2244	quxon.exe	87
PID 2244 wrote to memory of 3148	2244	quxon.exe	87
PID 2244 wrote to memory of 3148	2244	quxon.exe	87

C:\Users\Admin\AppData\Local\Temp\44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
"C:\Users\Admin\AppData\Local\Temp\44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\quxon.exe
  "C:\Users\Admin\AppData\Local\Temp\quxon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\cozui.exe
    "C:\Users\Admin\AppData\Local\Temp\cozui.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f59121540301e5ff5b2eb2b0e4375c42

SHA1
53f84995c3c14a3409c0fddd16679ab31dc8e6f5

SHA256
5c22b6941aa5e2da45e2b1811ff39b085a68329360d53ac5f4d26139dc55f5ff

SHA512
06ba6f358682915293f3426990b7235d64c13d7b8e5424160d573173aec95f016db67fed1bcdcd52f4bb5094822bd5580190dc8c481a7c9fe181c5a4cdfb2bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cozui.exe

Filesize
172KB

MD5
e9f2ca6f7bbec5bca2c7d90944e3deae

SHA1
39ec9b656fabdaf421008a2dfc4983b41187bda0

SHA256
23428dbc768289d0a7707436ba2ce8d6daccb4d834ce8f7784e48da64740c6d9

SHA512
d6662f236a6ca36d57f4758333276a673dc70f6b744595b3b3efb068a56bc4a5901312e1418f85c653cf9ed300f399cff196eb23b5bdd22ab33fff079d8efe12

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6598fb8df64c1f3c8de5f9b15024f2b3

SHA1
eb54a5462e24ec6c0d582c93827aaee7f93ce96c

SHA256
0728d2befe561c71697abccd352cf50046edcdc7b66737b4acd78279fd7f117b

SHA512
9fb05a5e09b95db2735ba2e6f6bf844a1f63c5bb2f3600b8cd6363bd954995d3b4fbb2abb2f97cb66c7f298d4378040235f7584cd376e88f78cc0aeee0229cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\quxon.exe

Filesize
338KB

MD5
e74a0b44195f5ee251992faa0f0f1f9d

SHA1
8ee796ff2be8d373ea2764fd010c06b601c0ae48

SHA256
d5d56eea0293ef3e683eabda8397ea2d629ec5fc9a8c4344b798c8317cbc3ad2

SHA512
cbcb7e4e97a0e0c3f417b45b2956cc643318a54bb20b1839134af3ad32baeeced8236dd0860e58c2411ce3c28014182a37a88fb7ae7089aaeb7133b4df37f2df

Download Submit
memory/2244-21-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2244-41-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/2244-14-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2244-11-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/2244-20-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/3148-39-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/3148-38-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3148-42-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3148-47-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/3148-46-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3148-48-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4304-17-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/4304-1-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4304-0-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing