urelas | 4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6

General

Target

4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
Size

335KB
MD5

8e592493f4396101c59cc31a5176b580
SHA1

a982d8305da273c5517f3cd35176c8146ee97bb4
SHA256

4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6
SHA512

8d7adf013194a3d1507d05956996a05f3e961816f6df800f5cf9e97499b9ee7393dd6d3d4544131eeff513cd1cc44a2cf2e024c19355090a1b48c966a99d6164
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrY:vHW138/iXWlK885rKlGSekcj66ciy

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	izmix.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	izmix.exe
4964	xedob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izmix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xedob.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe
4964	xedob.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2572	212	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	82
PID 212 wrote to memory of 2572	212	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	82
PID 212 wrote to memory of 2572	212	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	82
PID 212 wrote to memory of 1152	212	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	83
PID 212 wrote to memory of 1152	212	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	83
PID 212 wrote to memory of 1152	212	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	83
PID 2572 wrote to memory of 4964	2572	izmix.exe	94
PID 2572 wrote to memory of 4964	2572	izmix.exe	94
PID 2572 wrote to memory of 4964	2572	izmix.exe	94

C:\Users\Admin\AppData\Local\Temp\4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
"C:\Users\Admin\AppData\Local\Temp\4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\izmix.exe
  "C:\Users\Admin\AppData\Local\Temp\izmix.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\xedob.exe
    "C:\Users\Admin\AppData\Local\Temp\xedob.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
97165f500ef26497cbb33f984ff6ed11

SHA1
936c9548cda4108c60f3b15f9736199e97ae0170

SHA256
782352fb18b89f636c1f1664309984b1853e1a6567513e45ef4dc445e93893b3

SHA512
1b30599891aa07950850a7ac7ae34316501ee6f3ea01ce0c26af443c71e8e419ba4341d80f0a74362944b1b0cfad8afba38094f543fdd1995c81241e9c061081

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4f71ef62e800d17d5527ad5015ade7cc

SHA1
9834029101a2b4057691da76c4d03272d6bf0d90

SHA256
d016892a06917f394c2eacce624901f9f68504785276a476f6c75163e5ae501d

SHA512
efd01855d9e763175ecc4ee509dc4e8f8ddd6da74f218a1d0c11c010c905b13d6cadf48091559b4bfb0e5ed37e5efbd25fdf56956833a712b5c2da9c826c4f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\izmix.exe

Filesize
335KB

MD5
060d21ef459416f701a313dbb6554822

SHA1
d7848b5b6dc1074f3cfb3a053332c301a138be8f

SHA256
1dedc1d983f3cd1cf8c1e52435e08121f65465998b23eafcafd64280ee606d44

SHA512
74996f486c4595f5e286f20d27a5b178b00714f0f9a5811441842968c17ca05f1e00a2fc0ea2723c7e23fec7c383bf88ef5f153eaca1ae4edc2bbd8b33a0ce71

Download Submit
C:\Users\Admin\AppData\Local\Temp\xedob.exe

Filesize
172KB

MD5
b922f6985c7fead0e792c85b3448ab29

SHA1
ec401e7a16b4a08c3838488ef766b22647c31237

SHA256
24074fedb7294aa22336081cc6c0189bdfb04132c9b0412a94120292c8d6d3e9

SHA512
59912b4c4a573dc769e636310330c7c33ea43a4308d2d1d90602d7e141305d7db1339e86610bb7730c3204b3d78ab113bdab6195d9f7f7a72ed0418af621e026

Download Submit
memory/212-1-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/212-0-0x0000000000F40000-0x0000000000FC1000-memory.dmp

Filesize
516KB

Download
memory/212-17-0x0000000000F40000-0x0000000000FC1000-memory.dmp

Filesize
516KB

Download
memory/2572-20-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2572-11-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2572-14-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2572-43-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/4964-38-0x0000000001110000-0x0000000001112000-memory.dmp

Filesize
8KB

Download
memory/4964-37-0x0000000000D60000-0x0000000000DF9000-memory.dmp

Filesize
612KB

Download
memory/4964-39-0x0000000000D60000-0x0000000000DF9000-memory.dmp

Filesize
612KB

Download
memory/4964-45-0x0000000001110000-0x0000000001112000-memory.dmp

Filesize
8KB

Download
memory/4964-46-0x0000000000D60000-0x0000000000DF9000-memory.dmp

Filesize
612KB

Download
memory/4964-47-0x0000000000D60000-0x0000000000DF9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing