urelas | 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963db

General

Target

084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
Size

336KB
MD5

1b86aa4c7c6b949ca2bb3f9dcb7da180
SHA1

03f2fb8c4293107e31ea4bd79caa450f2481bc5b
SHA256

084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963db
SHA512

3f4ff90189221e07ca303fab43df3d9056f7fdce115af757c268450d904968537abd370e4000261ec5b82394d563bfe6c27555386b75987d4ec1a0b396a556c3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcV8:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	meqee.exe

Executes dropped EXE 2 IoCs

pid	Process
2968	meqee.exe
3136	sucuj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	meqee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sucuj.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe
3136	sucuj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 2968	316	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	83
PID 316 wrote to memory of 2968	316	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	83
PID 316 wrote to memory of 2968	316	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	83
PID 316 wrote to memory of 4140	316	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	84
PID 316 wrote to memory of 4140	316	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	84
PID 316 wrote to memory of 4140	316	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	84
PID 2968 wrote to memory of 3136	2968	meqee.exe	103
PID 2968 wrote to memory of 3136	2968	meqee.exe	103
PID 2968 wrote to memory of 3136	2968	meqee.exe	103

C:\Users\Admin\AppData\Local\Temp\084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
"C:\Users\Admin\AppData\Local\Temp\084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\meqee.exe
  "C:\Users\Admin\AppData\Local\Temp\meqee.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\sucuj.exe
    "C:\Users\Admin\AppData\Local\Temp\sucuj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
67a56aaa62b91c3cd7aab35fcd3af867

SHA1
98bb1c207b8abe6cb9effd63acc12e38eadfe2da

SHA256
daeac78219c24c64d8f1edb80059e024de0c7a900d94d542056a4cad73d35a18

SHA512
5d1d7065979ca65d42eb9e2d67feaed27459b2336023b9a736fe45cc1c34bad22d3dab3f956fd1de064bdd08ccc5eb11dab98c630da9c8c520b5102b2e7e6570

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3f7b06c223294f28ecc530f9d8ed7acd

SHA1
e832949bb0ee36e711bca9e72dc527770fff440c

SHA256
2e7f2a6311a4e26094c7ac6a2b40e8f483e9e8d63d7a6cb11e0839a1fb6ad35f

SHA512
d5f037a1db31edc93736bf57278dec610d02602e90b488b637cc707c191e7fa9a4f0c5124a95aa16c02c1cc46d83229b18fa93d400aea1ad48c03a3f1818405a

Download Submit
C:\Users\Admin\AppData\Local\Temp\meqee.exe

Filesize
336KB

MD5
f518803780336fb25f9e4862dca0ee1c

SHA1
aba597d9643709cd67c7419e7c33853dcd183fc7

SHA256
7b450c2f5e0993504196fd858574dddbeae1ad13ae51185b89ca92c223ee8468

SHA512
9aeda03952a34bbb221b0c120835c3fcec64056c47dbdd4ff8b80f71f5d86b4857e8a8662b6a7423c0b56dcd74e55379b4cf7628091b16802093b9c9a9b24c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\sucuj.exe

Filesize
172KB

MD5
fc2fad25851e2ee268dd03ebef25231e

SHA1
9a15d7d772f8d290f75605c2a24ac4092720cdfa

SHA256
87b4d98d5f002fbf5ab7f91d2371a3f5efcf60f0ef8f03fc5c911f12d3a13422

SHA512
7242fb16920a07c8a6d2868efd6cb66a51d36fc2d372b6a9fcbe49ef32fcede5f0d8a92c295b663008980b066032c84101218d2b54f1090db48ccd28832ecf71

Download Submit
memory/316-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/316-0-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/316-17-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2968-20-0x0000000000860000-0x00000000008E1000-memory.dmp

Filesize
516KB

Download
memory/2968-11-0x0000000000860000-0x00000000008E1000-memory.dmp

Filesize
516KB

Download
memory/2968-14-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2968-40-0x0000000000860000-0x00000000008E1000-memory.dmp

Filesize
516KB

Download
memory/3136-38-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/3136-37-0x0000000000610000-0x00000000006A9000-memory.dmp

Filesize
612KB

Download
memory/3136-41-0x0000000000610000-0x00000000006A9000-memory.dmp

Filesize
612KB

Download
memory/3136-46-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/3136-45-0x0000000000610000-0x00000000006A9000-memory.dmp

Filesize
612KB

Download
memory/3136-47-0x0000000000610000-0x00000000006A9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing