urelas | d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164

General

Target

d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
Size

336KB
MD5

36e12de34b6b64b1f73b9fa0a81c0b8e
SHA1

04468d239653de56d849aa888cda17243b2ccd52
SHA256

d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164
SHA512

b9c715b6c92cb63c2df631a2120a892a4d9a02792f219febbfb62611b23341ad8422faf861960d797b3baff5d09e474c342b03aedf5e0529378c99937c8b6927
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoU:vHW138/iXWlK885rKlGSekcj66ciN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	soxap.exe

Executes dropped EXE 2 IoCs

pid	Process
5064	soxap.exe
1636	emzos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soxap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emzos.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe
1636	emzos.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 5064	2320	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	82
PID 2320 wrote to memory of 5064	2320	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	82
PID 2320 wrote to memory of 5064	2320	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	82
PID 2320 wrote to memory of 3852	2320	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	83
PID 2320 wrote to memory of 3852	2320	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	83
PID 2320 wrote to memory of 3852	2320	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	83
PID 5064 wrote to memory of 1636	5064	soxap.exe	94
PID 5064 wrote to memory of 1636	5064	soxap.exe	94
PID 5064 wrote to memory of 1636	5064	soxap.exe	94

C:\Users\Admin\AppData\Local\Temp\d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
"C:\Users\Admin\AppData\Local\Temp\d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\soxap.exe
  "C:\Users\Admin\AppData\Local\Temp\soxap.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\emzos.exe
    "C:\Users\Admin\AppData\Local\Temp\emzos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
75db3e253909f16e19dd402633778525

SHA1
626350eaa1d5a3a27317b08adb093d5be6eb6625

SHA256
d73a1329fad2105dfeb4c7690f0b44f2498f7b0246f65f0812c423c3a45e2ca6

SHA512
4ce319cfc8e1f81deb2dc77123d16824153602bc661dd59a670fec8945f48393c15d134aab62f62be68f3a43da69c5e0767106164bb941d5d621fab1c1422495

Download Submit
C:\Users\Admin\AppData\Local\Temp\emzos.exe

Filesize
172KB

MD5
94b25711ee58f3d2023ed396dae21818

SHA1
aa927fa9e0e319db1d6d0aaa5633a2ee5f75b487

SHA256
acabbb4a023d57fa2218f17c36d74561570ab1d6aa0abd4e93505afd2bd94ac8

SHA512
60efddc1c9546577d108dafade2932e231c74b2b52668c4719ae77a1881d6ff88121c581e785821f8d55bfbd88024230540673e8ca04569d2853733969a3cad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
50c757b77851b61da175c38178a9d86f

SHA1
80323f59c7219d995473c850bab8774dc3495b79

SHA256
f662595e78b9ca9ca65be79e316691980ee085a41246383feca41cf00b2e5992

SHA512
8640d9f8f49492e3e2c274dd9b241716c0aa642528d6060c08a292473a8d12f4477518dd32c5ace6786c5994f655b1816042e2fd9791007987236fd37ed1f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\soxap.exe

Filesize
336KB

MD5
1a1f8eafc14aed510af8db7badc383d2

SHA1
ba09b60f324bdc1e3ef17faf838fed28a6e3e066

SHA256
3dd54f888edbf1decfa9fce0f5a3989bb47c8b0843cef3c30e39aa118f7dbdca

SHA512
6000872e04d748be335578a029f350d1551ab76bb3824e168465a732d9c40411ee2457b3746af00a661476fe315e1562d9d999c02b2d578548972fd5fee546e8

Download Submit
memory/1636-48-0x0000000000450000-0x00000000004E9000-memory.dmp

Filesize
612KB

Download
memory/1636-37-0x0000000000450000-0x00000000004E9000-memory.dmp

Filesize
612KB

Download
memory/1636-46-0x0000000000450000-0x00000000004E9000-memory.dmp

Filesize
612KB

Download
memory/1636-47-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1636-42-0x0000000000450000-0x00000000004E9000-memory.dmp

Filesize
612KB

Download
memory/1636-41-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2320-17-0x0000000000230000-0x00000000002B1000-memory.dmp

Filesize
516KB

Download
memory/2320-0-0x0000000000230000-0x00000000002B1000-memory.dmp

Filesize
516KB

Download
memory/2320-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5064-14-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/5064-40-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/5064-21-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/5064-20-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/5064-11-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing