urelas | d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad

General

Target

d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
Size

335KB
MD5

80ae7de058edde7bbdc65889eccc79c0
SHA1

e6ad995afef94c2b82353fe091ba54dc610d1fb9
SHA256

d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad
SHA512

93662b5077180fa1bd52a643a8c209d73bdf7f6324eaf0323c1c4d08058c89124837ad0ebd23ba26797f6a76cf9a7d30887792fc4233ec4be6ce6b585f2d041d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrY:vHW138/iXWlK885rKlGSekcj66ciS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	tonug.exe

Executes dropped EXE 2 IoCs

pid	Process
3276	tonug.exe
4660	cusak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tonug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cusak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe
4660	cusak.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3276	2720	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	83
PID 2720 wrote to memory of 3276	2720	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	83
PID 2720 wrote to memory of 3276	2720	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	83
PID 2720 wrote to memory of 2144	2720	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	84
PID 2720 wrote to memory of 2144	2720	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	84
PID 2720 wrote to memory of 2144	2720	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	84
PID 3276 wrote to memory of 4660	3276	tonug.exe	104
PID 3276 wrote to memory of 4660	3276	tonug.exe	104
PID 3276 wrote to memory of 4660	3276	tonug.exe	104

C:\Users\Admin\AppData\Local\Temp\d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
"C:\Users\Admin\AppData\Local\Temp\d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\tonug.exe
  "C:\Users\Admin\AppData\Local\Temp\tonug.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\cusak.exe
    "C:\Users\Admin\AppData\Local\Temp\cusak.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cc7359730ecf5305850fbf9a551cd13e

SHA1
3bfc072700ef72e05f823f9ed435eda37e92e381

SHA256
690fc72c85d81367c9b6232b90a5d5646b8b9edb01f2c39470a9a69a468e9573

SHA512
85ad19d1f2609b511fd2c996330c77b5a6b38f35921aa2591aee71c5aff96564da60359d05a19112fa82e1585d60bb3a72af61660653ec332a17b44a1634b132

Download Submit
C:\Users\Admin\AppData\Local\Temp\cusak.exe

Filesize
172KB

MD5
e2bfaa9c72e848c7adb64c0b7a7c2e1e

SHA1
28e5d16d225b8b5324051c9f5c1f1b910dcbcb73

SHA256
acce771637ee516cb68572ee4ebefa9cd2027e32c1352f42afe7f6b036d0dcee

SHA512
e93b12969c2a1747da7f3f6c206425fb39c5b1c6413d217cb7be20360223bdec759a05e7380e85fe01adba610ac9db20fc749f2fcc6545f059f829385437bbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e855700e736402c7efa58a0e1b640c3

SHA1
3b636f3bfb860e340f76d1b3ba6d3aeff480a4aa

SHA256
79425726d9263a7ffa04073beb74b0ba3e05396115a445d15406272142afc6da

SHA512
b6b86c39c0b61ad131419bd5a8b6202cd0e180fd1adeaa7e02ee179f963e05fd6190a5b04a07d7b9857c1a5a6705733d3e2498d5658725d02fe3c2c5b475ac8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tonug.exe

Filesize
335KB

MD5
40a452ab1673dfe87b77a7765f41daa4

SHA1
0773c6f9e255a064293b6bbb1e06b70c0c26380f

SHA256
d77c2e9f09eb23f9c523349f917fbb5de455c24443fb076162ccfeb6be50c282

SHA512
d9f42d5a95ff030626785e8c92aea7baf02f1226c2d5b55e30932d7c96870d9d156a9164875b22ab7bf6fb1889cb95dd86eecab2678b9f5e00991bf27e090ee2

Download Submit
memory/2720-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/2720-0-0x0000000000730000-0x00000000007B1000-memory.dmp

Filesize
516KB

Download
memory/2720-17-0x0000000000730000-0x00000000007B1000-memory.dmp

Filesize
516KB

Download
memory/3276-20-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3276-12-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3276-21-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3276-13-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3276-41-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/4660-39-0x0000000001400000-0x0000000001402000-memory.dmp

Filesize
8KB

Download
memory/4660-38-0x00000000007C0000-0x0000000000859000-memory.dmp

Filesize
612KB

Download
memory/4660-42-0x00000000007C0000-0x0000000000859000-memory.dmp

Filesize
612KB

Download
memory/4660-46-0x0000000001400000-0x0000000001402000-memory.dmp

Filesize
8KB

Download
memory/4660-47-0x00000000007C0000-0x0000000000859000-memory.dmp

Filesize
612KB

Download
memory/4660-48-0x00000000007C0000-0x0000000000859000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing