urelas | 0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33ace

General

Target

0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
Size

338KB
MD5

005992c96d9b51f1828729a17ef2e0c0
SHA1

f0a210d71d2e2a47c359cea3de32a12c53dd6664
SHA256

0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33ace
SHA512

3ea63ba128a93b3ee21635b41d39a6a4d1c2dbe05dec98fc7d9ca78eccb7478cdc10b35fe75ff0aa658f907719e9d0a10920f68ccfe96a3fb92bae2ea94d383e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWc:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cijye.exe

Executes dropped EXE 2 IoCs

pid	Process
2664	cijye.exe
3668	todau.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cijye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	todau.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe
3668	todau.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2664	3196	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	82
PID 3196 wrote to memory of 2664	3196	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	82
PID 3196 wrote to memory of 2664	3196	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	82
PID 3196 wrote to memory of 2316	3196	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	83
PID 3196 wrote to memory of 2316	3196	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	83
PID 3196 wrote to memory of 2316	3196	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	83
PID 2664 wrote to memory of 3668	2664	cijye.exe	94
PID 2664 wrote to memory of 3668	2664	cijye.exe	94
PID 2664 wrote to memory of 3668	2664	cijye.exe	94

C:\Users\Admin\AppData\Local\Temp\0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
"C:\Users\Admin\AppData\Local\Temp\0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\cijye.exe
  "C:\Users\Admin\AppData\Local\Temp\cijye.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\todau.exe
    "C:\Users\Admin\AppData\Local\Temp\todau.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
4d9750146edf68417bfe9c954937c325

SHA1
3c2fdf25a8ff9f714b78dd80b7650046bf2acbde

SHA256
8a9a3dd4b2724cd5a3b408cd6fcef8af8c8b9c7c3748fa505da581401d78dd27

SHA512
06ffa691dd7728df4fdf84a540bf528e693c4262a29469c989402bab7bcb2db4531b7444b9f79f6d7dc114d922233665f89062d889eaaa71a321330eede6010a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cijye.exe

Filesize
338KB

MD5
1fff9c5835cbdf41d86d0909baaadce5

SHA1
dbab0928f46619dae015e759e176ccfba6e9ddc9

SHA256
24916f130f6b2243566b1bf17d3581f6dfcda296be97d239b01d1b1b60ba6a56

SHA512
9ec7bb0ad624a71b827d5b229ca697265819a33f72a8d0de6575098e55d29ae7fb7c39d1fa451f5098d2cbc027a52d634741144a7d3817c8eb73e491742035ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af423d40a5dce735682c4fcf137441d9

SHA1
7ca8a5873c111f10d551c62a02ad1782b759bfa3

SHA256
1c68223a05a2ad4b11bdcb5772b39281c8f8172ff7daa8db1ba852e790bc0d11

SHA512
6a0b5b96a64f10891a940e3de43d2ffa8680e055e3014309ebf086c285149f21463d0b3b1122e796f5252d08cff5d9c9455a919e1fb42ad679068ba0f62db37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\todau.exe

Filesize
172KB

MD5
a1ee3aaf092892f99216496656f17f37

SHA1
19e2bb979747a319f93e739803f0fd6d587b8615

SHA256
f147573cfccaf77fd9578fdc4f8885a645c841a69c5827710b1b0f91b4d6e712

SHA512
bb8f1890c7aa7a6421925a62944bd5b57eaa00cbaa92554076f4dfaf7f06431558caf344846c5442345005d1f89800b47ebf2d783316cab0c01fda9980aa3f80

Download Submit
memory/2664-20-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/2664-13-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/2664-14-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2664-42-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/3196-17-0x0000000000290000-0x0000000000311000-memory.dmp

Filesize
516KB

Download
memory/3196-0-0x0000000000290000-0x0000000000311000-memory.dmp

Filesize
516KB

Download
memory/3196-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3668-36-0x0000000000970000-0x0000000000A09000-memory.dmp

Filesize
612KB

Download
memory/3668-43-0x0000000001350000-0x0000000001352000-memory.dmp

Filesize
8KB

Download
memory/3668-38-0x0000000000970000-0x0000000000A09000-memory.dmp

Filesize
612KB

Download
memory/3668-45-0x0000000000970000-0x0000000000A09000-memory.dmp

Filesize
612KB

Download
memory/3668-46-0x0000000000970000-0x0000000000A09000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing