urelas | dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8

General

Target

dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
Size

336KB
MD5

e29710494d400a64651a10de4fd82fe0
SHA1

21dd2c7eee2fb406b1078ee2df2bde1094713022
SHA256

dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8
SHA512

244dd69cb51333474809d322b97e0afb5b90736ada760ecd6fef838eb97c6cabc94dc7d686e4538ba9ba067f33664be95e968dfd3c10a74aae1201debb1cfe66
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKN:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	focow.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	focow.exe
3820	wuosu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	focow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuosu.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe
3820	wuosu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1716	1588	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	83
PID 1588 wrote to memory of 1716	1588	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	83
PID 1588 wrote to memory of 1716	1588	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	83
PID 1588 wrote to memory of 1188	1588	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	84
PID 1588 wrote to memory of 1188	1588	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	84
PID 1588 wrote to memory of 1188	1588	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	84
PID 1716 wrote to memory of 3820	1716	focow.exe	103
PID 1716 wrote to memory of 3820	1716	focow.exe	103
PID 1716 wrote to memory of 3820	1716	focow.exe	103

C:\Users\Admin\AppData\Local\Temp\dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
"C:\Users\Admin\AppData\Local\Temp\dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\focow.exe
  "C:\Users\Admin\AppData\Local\Temp\focow.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\wuosu.exe
    "C:\Users\Admin\AppData\Local\Temp\wuosu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b0827e331ad9f8e0e4413158805e0656

SHA1
24094d926508d9b1ee6f49e448b1162cd5712e02

SHA256
61762aeeba1a0087c515e5edc89f0afa9f77f71843e5ca2d0bea90aa6836979e

SHA512
4776265b3860a07b33b190cff6f1fe945ec03b02a111e6ac648f32fcebfdaf9cdd25cca8c3dedde6af1750022eef9cbe1aa00a8ec06c56b9ea51e5a61d746f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\focow.exe

Filesize
336KB

MD5
718b26d78e007ae8e08d931863a6a2ec

SHA1
7ef8cce7672577029d177d71a3ccbb50b8f02486

SHA256
784435311504b1eec47d24da534178ca5cfaf39b56bc05a249d14014d86eeba2

SHA512
3893fd03d21b047f6cbcd7cdded9a5afae8c256d1a9c5facb81547e58ca0ba1b136e0f52f5225496a226e416958a5751619c56ed40e5354da884f50453a6f5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d1a5c1363bff5733cbe35d9c3c4270a8

SHA1
683502dd99a4aa50c97fe49380e4818debe7d2bc

SHA256
387e27fd27b72841d46225763f7fe398b8ed4df7f3b78d08d4ba5d5c26d80c76

SHA512
ed9bcc6fa28a0fc89afa6c651ef67e81ec550516d65273eec7d1c6a2074fc4f9ac3bd09ce90002d849c4a532e318c5f774b4af527fdce2a5d08803720a1f3e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuosu.exe

Filesize
172KB

MD5
360ab5f546c1ffd4a992ea774edd5b7d

SHA1
73c1ed3195256df579c53bf4e30c89ded24fdf80

SHA256
22b0613e6903be067414d4dcfc963a214f31a01ed02c9a3cb9979b6ab58be8c3

SHA512
d4b9e4257dc7d8149a46a783f1522290cb3fef4e22481801df6ed798eaf84dd71db537d165b95ab707cbb6e216ace98291b47fe3f0d3a5c2eae1ec8003e215f0

Download Submit
memory/1588-1-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1588-0-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/1588-17-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/1716-21-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1716-14-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1716-20-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download
memory/1716-11-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download
memory/1716-40-0x0000000000060000-0x00000000000E1000-memory.dmp

Filesize
516KB

Download
memory/3820-37-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download
memory/3820-41-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download
memory/3820-44-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/3820-46-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download
memory/3820-47-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing