urelas | 117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53

General

Target

117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
Size

271KB
MD5

73567e499ad40ab2d37748a1ce3dadf0
SHA1

3bdf5bc966604d0d5c099700e5dc5ca4c8593bd9
SHA256

117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53
SHA512

588b08150b6356b3e9e89a48164f4f3c7c779f2a585925b9ba8d142b949d6537af516f12d150f671fad06ea001634da9424106fd1fa3ce55d72f5314438b25cf
SSDEEP

6144:SPdhP7Vq2S8GYlH9LKeu5exdoW7KkYGuH6lY:uhPjSCKeu0oEYGTy

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ticud.exe

Executes dropped EXE 2 IoCs

pid	Process
4092	ticud.exe
3620	amovt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ticud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amovt.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe
3620	amovt.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 4092	1600	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	84
PID 1600 wrote to memory of 4092	1600	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	84
PID 1600 wrote to memory of 4092	1600	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	84
PID 1600 wrote to memory of 4300	1600	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	85
PID 1600 wrote to memory of 4300	1600	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	85
PID 1600 wrote to memory of 4300	1600	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	85
PID 4092 wrote to memory of 3620	4092	ticud.exe	103
PID 4092 wrote to memory of 3620	4092	ticud.exe	103
PID 4092 wrote to memory of 3620	4092	ticud.exe	103

C:\Users\Admin\AppData\Local\Temp\117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
"C:\Users\Admin\AppData\Local\Temp\117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\ticud.exe
  "C:\Users\Admin\AppData\Local\Temp\ticud.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\amovt.exe
    "C:\Users\Admin\AppData\Local\Temp\amovt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
a45ec746fe6711528ed98de386b55c4f

SHA1
79dcbb5a736e0a8cf7548e61edc31cde1e779255

SHA256
322d709677693f7d41a84d724d2cb638cfbd06bd1d652f4e1112bea3dedf9ae5

SHA512
5891c371f6b9d605b0b09f37c91c830f12ddaebef9fbfb390aafaa7c452f1707081f55dbd96482fd5d132caf2447341bb04b0fa24878867e5b27bbfbe3d073e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\amovt.exe

Filesize
291KB

MD5
3e20a735c22c1044bc2cc36caf2bbea6

SHA1
197d4e61dd6e57a3530cba93f5a162ce021e9789

SHA256
56e21bf3de1d4a183ce2e907e8f8aee76f476b7c361d6e9f6447a651b5b1bf36

SHA512
85173eb0e109f21ea866b74bb0a771c29e744acd765c4b2d837b9f94a4a34685629a5763203c5badd9c84a60e5d96dd2f61503b9265f1fe77fbc08bc3f1f7d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dc5c4ec74cb689add4bbb1880a92392a

SHA1
68e3a7824ec80d95655cdc8c6aaf61a25633f51d

SHA256
e2910f00516b77068a497b264f1593b5a96a5ccc4436d81d8e49248961067f93

SHA512
94bd10974fa6074cea904dbbfe443b261a44ae93d6a701394724b8e125f625c0616758b9d819ece272819d693590e038b44b8b7e9a04f943603bbe582bc43895

Download Submit
C:\Users\Admin\AppData\Local\Temp\ticud.exe

Filesize
271KB

MD5
4cda3d16f1b837a075cb90a7e7e78577

SHA1
dd0399f6490cede3ddf3d6129ab9a374d2d6f5a9

SHA256
c863192e564e4f76d5e57c89b64509bba5041ef675cc500e0246f8f30f804840

SHA512
ca673d0983c3030dfd0456a37c8bdfd8aa0cdab7502ab08957e4274c37ab7257d16d360997c0ecde45662c1f03de4923b3f2d703f0f692b5fca0db3fd4b363b4

Download Submit
memory/1600-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1600-1-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/1600-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4092-14-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/4092-11-0x0000000000BB0000-0x0000000000C1E000-memory.dmp

Filesize
440KB

Download
memory/4092-20-0x0000000000BB0000-0x0000000000C1E000-memory.dmp

Filesize
440KB

Download
memory/4092-21-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/4092-39-0x0000000000BB0000-0x0000000000C1E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing