urelas | 511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9ed

General

Target

511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
Size

508KB
MD5

eb48477271572c6589faed3de0a22420
SHA1

ad4fe8092ab79c942e4f55c82dc160bb95885258
SHA256

511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9ed
SHA512

74f037cb5f2174f478adcdde225b1f9fa66d2477ef99c79cee66bbb3abcbcff5be80b4f38e7f9c0c881978da74bf1814331494636319b31cdb5f07e9f8f1661f
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKop:3MUv2LAv9AQ1p4dKY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	zyzad.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	zyzad.exe
468	raogo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raogo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyzad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe
468	raogo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2964	1212	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	82
PID 1212 wrote to memory of 2964	1212	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	82
PID 1212 wrote to memory of 2964	1212	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	82
PID 1212 wrote to memory of 3168	1212	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	83
PID 1212 wrote to memory of 3168	1212	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	83
PID 1212 wrote to memory of 3168	1212	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	83
PID 2964 wrote to memory of 468	2964	zyzad.exe	94
PID 2964 wrote to memory of 468	2964	zyzad.exe	94
PID 2964 wrote to memory of 468	2964	zyzad.exe	94

C:\Users\Admin\AppData\Local\Temp\511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
"C:\Users\Admin\AppData\Local\Temp\511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\zyzad.exe
  "C:\Users\Admin\AppData\Local\Temp\zyzad.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\raogo.exe
    "C:\Users\Admin\AppData\Local\Temp\raogo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
47bf8eb2e74fc36b06ac669ef243a886

SHA1
852f333eab64749106ffcecb52d764ddccf455c1

SHA256
190af1c1580486206366aa42f93623b91e71b5b21a48dffb88fabbe9b3e9e270

SHA512
73c096e9c503837b3c09f26cd0abf7ef14aa276a758684a8df71cfac4739a28233d5c62577fe10ea839eab1d712f4c84a7ecbadbb74d0f8dfc7de3d857097e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2599eb761711c080d16d8e25b10999a2

SHA1
4635638d2b69ac5f1bf25ac0057150f0780fc42d

SHA256
75739b47825d7daeed6139872e8577f803521583a334b677dd51d5b4af1e8402

SHA512
75c0c08214c3d28a23628c54e85cab934d0970bd74e96a195f8d85fd340de0ba8a9e4701718610fd8ee4422eca7d9bafb8ae60beb86cc773f9e00cee4786758a

Download Submit
C:\Users\Admin\AppData\Local\Temp\raogo.exe

Filesize
172KB

MD5
b0775b1001a9a9acd7107166a482c7aa

SHA1
493011b209a1b7d91fc5a6e434790865d913da87

SHA256
038c1a086dbe6520a496233422f9b95878ddbab9535b30dc60c55efd5ca9db7d

SHA512
48f66bf045ff17211fffca9e5ac7c48e67f6ce30dc64b7b1a691594600e91c88ca063fa8341a084bee029cb01510611549e1656c8fa72d631be275fc87d34de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyzad.exe

Filesize
508KB

MD5
583107c34c952675d660c3e8ea9c8d29

SHA1
9fdea1e90be8b9dc7a9b7e95d13deca886866d1b

SHA256
05ba81cfc659d29969f899227776b34ec642d916efb84213b7a27c9255f33389

SHA512
566f5349193f3f3611f60f59c4f8edacd2e261747192e1578a58aeec93596565f1dace71006db481349440d5191a9a1a2d32e77f882de68fed671ec82ce34d7c

Download Submit
memory/468-29-0x0000000000E60000-0x0000000000EF9000-memory.dmp

Filesize
612KB

Download
memory/468-35-0x0000000000E60000-0x0000000000EF9000-memory.dmp

Filesize
612KB

Download
memory/468-33-0x0000000000E60000-0x0000000000EF9000-memory.dmp

Filesize
612KB

Download
memory/468-34-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/468-27-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/468-26-0x0000000000E60000-0x0000000000EF9000-memory.dmp

Filesize
612KB

Download
memory/1212-14-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/1212-0-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/2964-28-0x0000000000710000-0x0000000000791000-memory.dmp

Filesize
516KB

Download
memory/2964-17-0x0000000000710000-0x0000000000791000-memory.dmp

Filesize
516KB

Download
memory/2964-10-0x0000000000710000-0x0000000000791000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing