urelas | 0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3

General

Target

0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
Size

593KB
MD5

9474fecc38dce4cd41032608f2ceb528
SHA1

8f5ab9143beadf50ac100f9acc972b255f668055
SHA256

0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3
SHA512

db95e17a11b74ee77a8ab15118a39ed677e84d8456c0b2a051592a6428a543ef611abed3c48c975c222332f53b86338080c95b8cec0eca1746cd576dadfdefa6
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRF:C4jm0Sat7Az/gZvTIq2WKkw0FT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lehid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe

Executes dropped EXE 2 IoCs

pid	Process
3640	lehid.exe
4688	fuzuq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lehid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuzuq.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe
4688	fuzuq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3640	1648	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	83
PID 1648 wrote to memory of 3640	1648	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	83
PID 1648 wrote to memory of 3640	1648	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	83
PID 1648 wrote to memory of 768	1648	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	84
PID 1648 wrote to memory of 768	1648	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	84
PID 1648 wrote to memory of 768	1648	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	84
PID 3640 wrote to memory of 4688	3640	lehid.exe	92
PID 3640 wrote to memory of 4688	3640	lehid.exe	92
PID 3640 wrote to memory of 4688	3640	lehid.exe	92

C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
"C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\lehid.exe
  "C:\Users\Admin\AppData\Local\Temp\lehid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\fuzuq.exe
    "C:\Users\Admin\AppData\Local\Temp\fuzuq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b8238cf0c1a9e2cb268143e19df5b714

SHA1
e71395251a8f69a5ce312aa47b2cd4d73576e16f

SHA256
830d361f3d638a7a707d4c3ffdb37cae095102707b4d043f5220a5acae15ba4d

SHA512
d76d26dbf1a107f26adde7f12b8b0a818427ae8fb4bd72f5a9113d3bbb4c26745784dfb8a0a4704f9ff417ea33630d6ae08c88b272a538975baf1147e6132cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuzuq.exe

Filesize
323KB

MD5
d5336b776ebc2a8575e8fde09d70ec4a

SHA1
dfe05c752f17512eaf91f3db3e95887b91f60b33

SHA256
bbba7a82b45e39417c9af18ca66c65a3dfbb13084173b1972e5f7dc52a8bc9f2

SHA512
fb451b4299d87e18f48780d641372291b4aa6ab52bf91c200db5d2a114c9d22e2f4074777960731a2fbe2b713717ac1ca6575ebd947b3296ca2f9fa71867402b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2bb6d710fd52176f8e0e1f18b541e4f7

SHA1
475bc0015d06635747370cd2f29d04b6772dfd13

SHA256
2e7333543913c3be88a38af9617f2f921ec5072320e14db2d83aaa779639de06

SHA512
a28ee458fe730660ac13d36818744579eda52592e45ae0ac9aedb5fbcd6fe15765def7a95d69026240d1f3e903a75188484f4319923a594dc637ccb606f3d080

Download Submit
C:\Users\Admin\AppData\Local\Temp\lehid.exe

Filesize
593KB

MD5
92afec48f2c7f25c11a0054583cf751b

SHA1
fddd152d0194554134d3f030a2a39190ee56ceed

SHA256
6abef79db84535d9382089faeaee3b8ada9f8a2ba1d46def9ead2f605cd90f64

SHA512
d8087a1d266a96c374e343caa59a59c39fddbb593c3bb9dd8c61b76590582dfc6794e1cb63ba88a2347dd22b2c30d4867789253afbb82121f8107f249008d8dd

Download Submit
memory/1648-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4688-24-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4688-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4688-27-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4688-28-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing