urelas | 4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3

General

Target

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe
Size

336KB
MD5

362cea37b4515362a69bbdbf1114b700
SHA1

eea2d6bcf28637859873bb040eb63ca183aff830
SHA256

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3
SHA512

e0a76b767f46ced49414b3ee0d9fb3faa746be5a0133bc06a474d7c5600b769390c1250f2605f514e993794f74ec71a6b7bc9808b48733d116c87576ab4d0ac7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRA:vHW138/iXWlK885rKlGSekcj66ci2m

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	qigeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	qigeh.exe
3068	udrih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qigeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udrih.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe
3068	udrih.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3064	4996	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	82
PID 4996 wrote to memory of 3064	4996	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	82
PID 4996 wrote to memory of 3064	4996	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	82
PID 4996 wrote to memory of 3092	4996	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	85
PID 4996 wrote to memory of 3092	4996	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	85
PID 4996 wrote to memory of 3092	4996	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	85
PID 3064 wrote to memory of 3068	3064	qigeh.exe	94
PID 3064 wrote to memory of 3068	3064	qigeh.exe	94
PID 3064 wrote to memory of 3068	3064	qigeh.exe	94

C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe
"C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\qigeh.exe
  "C:\Users\Admin\AppData\Local\Temp\qigeh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\udrih.exe
    "C:\Users\Admin\AppData\Local\Temp\udrih.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b56b74292202dfbed28d849479409787

SHA1
2b691f862fc8cc967d10f737afb5d453b849df61

SHA256
965fca84d4a3d9fa5bbfd6401caea03e625f0c0accb2613ad485bd8226b05138

SHA512
d272b35d23ac3d395c070d6c3589ae41caba9d50b443f8eb37bf44f550c8768cc11870e5df1ae9e867497247dad0367022977a01a847d2c620255ccd6fe647c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
12845c7d59c8740c49a7688a6adb3fac

SHA1
02fda1b4fe443454eb272ba975bc49e84f4d8d70

SHA256
7ea2260b5093566b8ad017a16eb7b7fa3b9814a386d791220713e21c6731d667

SHA512
a9334e207f48de7a5568339f884086d671d96528070d1ade1c291f93c699236e64dada5c6c84374d0a08cfbd1ea81cca1f3787ae74e7ad5a860be13e91d89016

Download Submit
C:\Users\Admin\AppData\Local\Temp\qigeh.exe

Filesize
336KB

MD5
7b93288bb3561c938541631039280286

SHA1
948a045fab00c3397d8292796e7b24bfd00a3121

SHA256
5fc73250e6fbe63ea544bdd785360b5851a0c223934b8ab63caeb6c2d317ec88

SHA512
76355fa9e98ca0f2945a745c8665815259756ef1a703d1ba99ae4262c908c96c8c76636704be52c55c345212d2f53b5c79c0adc25ba59f1d83901a477f270539

Download Submit
C:\Users\Admin\AppData\Local\Temp\udrih.exe

Filesize
172KB

MD5
1efa2665bf919e235ee17abc414334fc

SHA1
34282c4aff6e4a5a97a850650eb4280f9a12341f

SHA256
20bd00c0faeae1de3c12845264ddcdff6462fc94785eb4f1ab5cc430817d7625

SHA512
4596b96d1e2b6b7e13cb8e7e7c3c09f2d92794345e783a0a7c8262e1b25c3ded2a9e03e1a1698280ca9e704e3d6df15a0d565a08a22a2aa9b2d89b65df0a1b67

Download Submit
memory/3064-19-0x00000000003A0000-0x0000000000421000-memory.dmp

Filesize
516KB

Download
memory/3064-20-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3064-11-0x00000000003A0000-0x0000000000421000-memory.dmp

Filesize
516KB

Download
memory/3064-14-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3064-43-0x00000000003A0000-0x0000000000421000-memory.dmp

Filesize
516KB

Download
memory/3068-39-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3068-38-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3068-37-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3068-45-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3068-46-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/3068-47-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/4996-1-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/4996-16-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/4996-0-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing