urelas | bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904

General

Target

bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe
Size

337KB
MD5

5ce7a119af90e0558ac742b7ff225c75
SHA1

25c01e283782c843a1600e626960d968aead0a70
SHA256

bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904
SHA512

5da612dbe40bbb694ea1831a885dc7ad5a21f2f0ffa60b5bf0b026ed9db66eb8f0dac22a0c5c0a9a0ee0e39759bccdd66b8d925282f94c259564f4c29c5d1874
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcV7:vHW138/iXWlK885rKlGSekcj66ciw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	pixig.exe

Executes dropped EXE 2 IoCs

pid	Process
4664	pixig.exe
4028	hiofo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pixig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiofo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe
4028	hiofo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 4664	4084	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	83
PID 4084 wrote to memory of 4664	4084	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	83
PID 4084 wrote to memory of 4664	4084	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	83
PID 4084 wrote to memory of 2572	4084	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	84
PID 4084 wrote to memory of 2572	4084	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	84
PID 4084 wrote to memory of 2572	4084	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	84
PID 4664 wrote to memory of 4028	4664	pixig.exe	95
PID 4664 wrote to memory of 4028	4664	pixig.exe	95
PID 4664 wrote to memory of 4028	4664	pixig.exe	95

C:\Users\Admin\AppData\Local\Temp\bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe
"C:\Users\Admin\AppData\Local\Temp\bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\pixig.exe
  "C:\Users\Admin\AppData\Local\Temp\pixig.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\hiofo.exe
    "C:\Users\Admin\AppData\Local\Temp\hiofo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6880b3379b9d40192e5012b8c8cb3222

SHA1
e357f42e373ae361fae6047eb190e3c9890a94a9

SHA256
3c691ecfa121e010e049f3d10dcc1c8451a92200ecf7ff6fc86160ea8dfc944e

SHA512
8b6cb9c7d6db9ffb4bd7fd7aa58aab5778cca5e2641b7aa362ece5b32575a9cd2d4dd7859e4251f9ecf6c6c861aa7b3d8c1877babcde20db9c05f2afa68855ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cdd61950315c0a4b13d3bd69cbb0273f

SHA1
4c6cc263de69856f8ab3291849fc56682c8fe806

SHA256
4c5dd7dc6f7bf392b890339795d98de644b24d9fad56da74566febf308362120

SHA512
2107fc72f5c04a63e50862f3a1fb962aba1978de44af94129dac0d68d94b50f3779cc0eff65bd23afc1d08c93edb33d7f7f0497e3204b4adce96d0550fe8590f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiofo.exe

Filesize
172KB

MD5
acbd4ba4930078ee41ba98c8eec2be4a

SHA1
1fce14e1811e8bb48537db1ada986363fef3595c

SHA256
2cd44380446f5832a652e86d4228e81d6fe4b04135206bc349b84a29d7e5c49f

SHA512
4ba83644e6baf7cc22caaf68e9d25cc59f0f3ee945bc61274e2e5ebbf76460a8e76bc052ecdfe46183e069e6c36873a80567521e44c0416faf617b8c7311d2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pixig.exe

Filesize
337KB

MD5
5ebff7b2af5de1b3813512f8c5200319

SHA1
734b78fbb17d33b35ea4906b433effb2b4dfcc64

SHA256
7c0ca5d9423a6d83ff7cf438ddd938fcf5999159eaa1be639b321bec3df383b2

SHA512
2c8dafa6988c0900bbb74ba8d75b35a67dd34c5c82d8036925b788644d7f9ed34ce8c24d6a4a4b29c651879885b16d25ec22cf0562639ebf938efe3805fe1e2e

Download Submit
memory/4028-44-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/4028-47-0x00000000007A0000-0x0000000000839000-memory.dmp

Filesize
612KB

Download
memory/4028-46-0x00000000007A0000-0x0000000000839000-memory.dmp

Filesize
612KB

Download
memory/4028-41-0x00000000007A0000-0x0000000000839000-memory.dmp

Filesize
612KB

Download
memory/4028-37-0x00000000007A0000-0x0000000000839000-memory.dmp

Filesize
612KB

Download
memory/4084-1-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4084-0-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/4084-17-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/4664-11-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/4664-21-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4664-40-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/4664-20-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/4664-14-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing