urelas | 8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e

General

Target

8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
Size

438KB
MD5

1e16dfa3fe9fc1be28d188c1af4f9051
SHA1

16e6279fcdfa6ffc4f064944223944fc6461a099
SHA256

8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e
SHA512

6662d4e5c6fa37c771a69c051ef764ab8eff924ef38e816fcb2af56e38baf52e73054ce0d39ed6b7f5dc309e044a702860993bae17efb9f345678602a1bff49e
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMMq:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	duzon.exe

Executes dropped EXE 2 IoCs

pid	Process
5048	duzon.exe
4332	duvuh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duzon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duvuh.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe
4332	duvuh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 5048	2424	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	83
PID 2424 wrote to memory of 5048	2424	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	83
PID 2424 wrote to memory of 5048	2424	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	83
PID 2424 wrote to memory of 5024	2424	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	84
PID 2424 wrote to memory of 5024	2424	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	84
PID 2424 wrote to memory of 5024	2424	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	84
PID 5048 wrote to memory of 4332	5048	duzon.exe	103
PID 5048 wrote to memory of 4332	5048	duzon.exe	103
PID 5048 wrote to memory of 4332	5048	duzon.exe	103

C:\Users\Admin\AppData\Local\Temp\8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
"C:\Users\Admin\AppData\Local\Temp\8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\duzon.exe
  "C:\Users\Admin\AppData\Local\Temp\duzon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\duvuh.exe
    "C:\Users\Admin\AppData\Local\Temp\duvuh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
88707e9bd4771b4235df497a8dbd698b

SHA1
48b28b3b7402cd2fdce6fab599b85ba6bdedb3ad

SHA256
64e2a781d7433b7ba1ec8e25b6423cb5ab97c88d630be869d9fae3e7b9eb882a

SHA512
b1451923ed5e0025bce05761465a02252ac6d20c8f408c82fd1640f8e082fa2fee25fbd2c9ea26107d1065dd6fdac0f5968b3318c9727c834475f25548fd5f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\duvuh.exe

Filesize
230KB

MD5
99ce0f8fe7cffaba02ef31a1fec03b51

SHA1
dfe2be71a95bcfdce6cf7251de53c8b26e60eab3

SHA256
ecc6ece809451c895f90e68a30202f4f2b66fde521ccee76001dc6d90ac63a80

SHA512
f2dd03065f91b93d1b2b7a82cded8aae5ad2e97ef42e731ef9bcfd3923a33cab85295cd66f8adb7358a441aa137ad3ef01ea81739d801a7aeb2c6d00e5608f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\duzon.exe

Filesize
438KB

MD5
52f34c70d59df79bb694512cfd16beac

SHA1
58a40735b183fe40a7ce2777560b903e37470898

SHA256
9ef006942617602c2e06fd933d8cc488284033216d751df5ef689553cce67e6b

SHA512
3219606bf99938d6efbc434f878a21bfce2e3b4655abc8417a9cb1e57675cf724edb7955be5b9e821e9716b88a1a72eeff28a1b73ab66c6337a6b658a33a6a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
565ae9ed868be3fd2802b9874c0fd186

SHA1
77275f173cd1b2e7624c5d25a513a658c64591b5

SHA256
70bfbaf7a6d24d4212cfd9c4a3ca72a330d0961b7a5573fe8cf08b62dfcc28ad

SHA512
1afb1100c5928be3420c33e2e12deb1b4d082803028c805231ad5a5ea964f1b880e24e4b5e576cf0c50c7724986867e84008d9727a89b8b8f29386cfab7e85cf

Download Submit
memory/2424-0-0x0000000000DD0000-0x0000000000E3E000-memory.dmp

Filesize
440KB

Download
memory/2424-14-0x0000000000DD0000-0x0000000000E3E000-memory.dmp

Filesize
440KB

Download
memory/4332-28-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/4332-26-0x0000000000570000-0x000000000060E000-memory.dmp

Filesize
632KB

Download
memory/4332-30-0x0000000000570000-0x000000000060E000-memory.dmp

Filesize
632KB

Download
memory/4332-31-0x0000000000570000-0x000000000060E000-memory.dmp

Filesize
632KB

Download
memory/5048-17-0x0000000000FA0000-0x000000000100E000-memory.dmp

Filesize
440KB

Download
memory/5048-10-0x0000000000FA0000-0x000000000100E000-memory.dmp

Filesize
440KB

Download
memory/5048-27-0x0000000000FA0000-0x000000000100E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing