urelas | 0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7

General

Target

0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
Size

404KB
MD5

17d6774357d1ed5cbe298a518e2c0cc0
SHA1

372a1facdf5eb371da9299e53626cbd50abeb982
SHA256

0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7
SHA512

3831174ef07e211504fa9e1c3af376f097d21077cc0ef12e56b458971872a7d8f79b70dc97de7ef51a8d400f799f77f6267e237dd581e4eeb517edfda40ff1c3
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohw:8IfBoDWoyFblU6hAJQnOa

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	miqii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	gigaqe.exe

Executes dropped EXE 3 IoCs

pid	Process
2116	miqii.exe
1560	gigaqe.exe
3500	ewibb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewibb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miqii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gigaqe.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe
3500	ewibb.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 2116	3276	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	83
PID 3276 wrote to memory of 2116	3276	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	83
PID 3276 wrote to memory of 2116	3276	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	83
PID 3276 wrote to memory of 4952	3276	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	84
PID 3276 wrote to memory of 4952	3276	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	84
PID 3276 wrote to memory of 4952	3276	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	84
PID 2116 wrote to memory of 1560	2116	miqii.exe	86
PID 2116 wrote to memory of 1560	2116	miqii.exe	86
PID 2116 wrote to memory of 1560	2116	miqii.exe	86
PID 1560 wrote to memory of 3500	1560	gigaqe.exe	103
PID 1560 wrote to memory of 3500	1560	gigaqe.exe	103
PID 1560 wrote to memory of 3500	1560	gigaqe.exe	103
PID 1560 wrote to memory of 1836	1560	gigaqe.exe	104
PID 1560 wrote to memory of 1836	1560	gigaqe.exe	104
PID 1560 wrote to memory of 1836	1560	gigaqe.exe	104

C:\Users\Admin\AppData\Local\Temp\0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
"C:\Users\Admin\AppData\Local\Temp\0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\miqii.exe
  "C:\Users\Admin\AppData\Local\Temp\miqii.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\gigaqe.exe
    "C:\Users\Admin\AppData\Local\Temp\gigaqe.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\ewibb.exe
      "C:\Users\Admin\AppData\Local\Temp\ewibb.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b2e941547929052bf4cfe0000bbf3c48

SHA1
7d5a631ba0c21213f403ba68613555ca0222410b

SHA256
a98b9d3f7f65f69aca4da61f99d40f068a53df1c8e5fe5a3e8dae281e5ad511a

SHA512
3c1507faeacd4ac2c6f74408cd9e117770cc126b1432fa563425a38ef5ab85c3f462706dc7cd78f2ec5f7140d781c728c517dd54ed31cf5e014af78e9559e749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
7672dfff1d9098cb1bfdd60a543eabfe

SHA1
edd393414659c3928c1415e10e462ac5d0ecae39

SHA256
25085223409c9fb24bb274e0af46e67bb76ef493c7d0234b7870ef8d37da9e17

SHA512
a388cfece0d17b1ffd54483111be34f542f9c0629adc2b82dc4cda85a0dd2f03779e2a659a61800b7d3ab0eef3bb7f4282238b9375c13a9bf54ea5b66b60d969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewibb.exe

Filesize
223KB

MD5
f808e357d5af90f886dd11acb621a8f6

SHA1
c3555f8a9779868fb732ac4579d20bed9c417070

SHA256
f9b8ef8b499385b4153931cf10feb4647a8df5db05a5bfd2c963958ca2b3bc1b

SHA512
f9ebdf9ff62f38af416e14f3fc61453253e080c23f8e6071f0e01aad6293d75b639c6a3845c4be93602f0277b2a5e8a57d065ab536736fd29170e981adac1040

Download Submit
C:\Users\Admin\AppData\Local\Temp\gigaqe.exe

Filesize
404KB

MD5
35c89f12797cfa6a40267d0c62c9e423

SHA1
d34dfe6b33c7075d0b29d113cd25fd3f95892e52

SHA256
788147a4ef42be2c7b2be7ca6b8bac93030dbb09e789052faa8f8ad83e3a2b13

SHA512
3fb7918801b29b7bbd40a5d86f5275b4960ce5cd363cc762a921616afbbc356babd172ac3987a89ad9efcfa1d3bd5bf6fe2449e35bb541830555ba662fba11fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ee5479ff69a78e539c56f8808b9589b6

SHA1
6bbe945055f5d479b6c6acfcde26dc2e24aa03f8

SHA256
5b18138f4247bf091d3b0abbccdb42b15190585063be2b548039aa7d9a75fbec

SHA512
f9a1b6274d513c316dd08cf38fa6deba1e00d1cee687e631ee734e21db9745d52784fea5252c027995d9382294af1bce14c7f8bf7720f1a8594af8814f6c1e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\miqii.exe

Filesize
404KB

MD5
ef01d50df1fe59fd1fdf75c21973e6bc

SHA1
7913f2f9dcef6a035ca60d5616f4607a2d2b3d2c

SHA256
b1112b687d09805823f518bb61aa91b58f0da267b17ef9dfe243ca775d5c685a

SHA512
10eb09e4f03c49cac46012410b3a23965543bd87a434a6725ee8932221a45de6399e91577809b4637908030d1635f789220ed808b4188affeb825607df126b57

Download Submit
memory/1560-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1560-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1560-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2116-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3276-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3276-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3500-37-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/3500-42-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/3500-43-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing