urelas | a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558

General

Target

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Size

271KB
MD5

8dcf36dbac7541e903b39079c481783f
SHA1

4da3e2ba8433500f27405fa79d4c55a7331d4506
SHA256

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558
SHA512

7ee072cf3b38e8322584516e0909b4cc534f5ab6bcee68c364230b0dd7cbf586c83c319089f393936f5af0860f2e35e3b43f41c6e2709c31228896ab38fc2ec4
SSDEEP

6144:SPdhP7Vq2S8GYlH9LKeu5exdoW7KkYGuH6lY:uhPjSCKeu0oEYGTW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	omcoh.exe

Executes dropped EXE 2 IoCs

pid	Process
2880	omcoh.exe
4816	uzdos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omcoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzdos.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe
4816	uzdos.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2880	2196	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	83
PID 2196 wrote to memory of 2880	2196	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	83
PID 2196 wrote to memory of 2880	2196	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	83
PID 2196 wrote to memory of 3236	2196	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	84
PID 2196 wrote to memory of 3236	2196	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	84
PID 2196 wrote to memory of 3236	2196	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	84
PID 2880 wrote to memory of 4816	2880	omcoh.exe	103
PID 2880 wrote to memory of 4816	2880	omcoh.exe	103
PID 2880 wrote to memory of 4816	2880	omcoh.exe	103

C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
"C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\omcoh.exe
  "C:\Users\Admin\AppData\Local\Temp\omcoh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\uzdos.exe
    "C:\Users\Admin\AppData\Local\Temp\uzdos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
708d4cab483a659dedbb37738fb4ea21

SHA1
dba1910f9df879daf0939d0bcf18ff430c8020af

SHA256
a918b58f9417c9b57405dc592be62246050dc940b8ddd8861510844b1f6a3d07

SHA512
6832aba9774eb549d59a9055888d403d1c15a2c9b6ab989f7040bc2e599732fc17f20f9b0481ad91ef612cebf64f45902a8352a4b3a7309bbe9565eac3ce1c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fb0becc6c75cd25a5fdaaab7403afc9f

SHA1
75341fcbfa57b376634887f4c508680691fda780

SHA256
7208653770122c55a20d50edbfa536924d92e361e783b729d5de5884fd95981b

SHA512
24ad8d63bc396d83e4c37b621e03e079add2978033cf12f8b0bed766acc3dcc9907960e647814f3a929c5bd0aaed13bc321513b8a0160038944c6e28a57efaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\omcoh.exe

Filesize
271KB

MD5
d602f19f1d9a6ef8db80f41a3fc038e8

SHA1
791027fd8393718a6c7f700c2ca4d4a7b27b4083

SHA256
9e337ef8bcc5e3f8d4e2a021358ce3ac70ccc2258402f6671692995720827601

SHA512
49918090fff81bd9c4ed2ada1853e4bdf8ff7ad04d2332ffe6d423c4f0bcd8bd5c5cc937dcc8cc824f26c93287ee11a6238745ef5155aa72226bfe11538d79b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzdos.exe

Filesize
291KB

MD5
bc0b8385c731ac49fb0e36585013b894

SHA1
c7dc1ff21f54f5d5d7f665ba23c0c3a9f7255b66

SHA256
7bac99135e66a5529b5fb096c574fa5f9614813f7d09651e56c90c40fbc701e1

SHA512
f03d453fa1410883197cd3e6a8ccaa58aff1a1064343b15f5da561faf9c8fac2520d7f2ea7bb8e00db1904123b14939aa8f439a363aeffdfffe169ffbc8c4985

Download Submit
memory/2196-0-0x0000000000B20000-0x0000000000B8E000-memory.dmp

Filesize
440KB

Download
memory/2196-1-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/2196-17-0x0000000000B20000-0x0000000000B8E000-memory.dmp

Filesize
440KB

Download
memory/2880-13-0x0000000000370000-0x00000000003DE000-memory.dmp

Filesize
440KB

Download
memory/2880-14-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/2880-20-0x0000000000370000-0x00000000003DE000-memory.dmp

Filesize
440KB

Download
memory/2880-21-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/2880-39-0x0000000000370000-0x00000000003DE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing