urelas | 94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514

General

Target

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Size

336KB
MD5

19b406150aae970923a4e9bc42c66055
SHA1

4e9391aa9520c698034cca8a91327ddd600e5a33
SHA256

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514
SHA512

f21ac5c482a4089248f113e3048b71c977764a53c2d962ccb4dc81475be4533d32bf496d776f5a9bc806281db5a6db5bb66e045a54047ad550d2cb81553bd1c6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoH:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	buxyu.exe

Executes dropped EXE 2 IoCs

pid	Process
3980	buxyu.exe
644	xapoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buxyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xapoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe
644	xapoj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3980	4572	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	82
PID 4572 wrote to memory of 3980	4572	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	82
PID 4572 wrote to memory of 3980	4572	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	82
PID 4572 wrote to memory of 2012	4572	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	83
PID 4572 wrote to memory of 2012	4572	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	83
PID 4572 wrote to memory of 2012	4572	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	83
PID 3980 wrote to memory of 644	3980	buxyu.exe	94
PID 3980 wrote to memory of 644	3980	buxyu.exe	94
PID 3980 wrote to memory of 644	3980	buxyu.exe	94

C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
"C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\buxyu.exe
  "C:\Users\Admin\AppData\Local\Temp\buxyu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\xapoj.exe
    "C:\Users\Admin\AppData\Local\Temp\xapoj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a50f54bc29a7cdfb931e2bf8607a518e

SHA1
8b117c06e00f4d79b128f8367d6900d999e971cc

SHA256
84cae3b8371c6af45250f3a8eef7cba289acc45afc0c810acbaf4efabf9b48df

SHA512
be6afa81df2fc657bc6fa3978a6784fe16f3e6393b264b34164eff8f77794a0e34bf894e38dec5cc1c22138d65099053c0848839d87d46c4d4701b363c1fd322

Download Submit
C:\Users\Admin\AppData\Local\Temp\buxyu.exe

Filesize
336KB

MD5
af5152d2a268af00a9e1bb7c543337f3

SHA1
229b442c8c96aeb01cdb27a3e968ea599da803a1

SHA256
71d55c06747d17457f483061c3cb110e83940bd483dea382b5534aef8f4689d4

SHA512
de7f5a51aa6f804a0fe7146a6cfe2f0bd370ca5f0c092bc6059019a8f1e21ba8a651ce719340fb35609f63dad89b124547441c7e65ea2555c8efa487860b9ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1113bb6130a70bc1e8729181534eb476

SHA1
3284ab98b8d80de788fcaa769a6cb912effcdf9a

SHA256
1d3130292b1bd0c790805e14d7c84be9bc05080ef6234b307e07f6a8b98f5c60

SHA512
b4b7f1616570736adb66d1120fb54adf083d7c7d41242c11531ef9373a5e8624742434c53c05631bb60a6e78263a4b5488445b9b71b05f45c8abec55c9591a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\xapoj.exe

Filesize
172KB

MD5
ecdef2c6d8e5ab6a77431290307db6f5

SHA1
210ddc4363480800b3bc0749283f6e45f74038c1

SHA256
58fb38d581ae7be0636e08099afafa544fec41e50b0c16813e50f59ef4e3de6d

SHA512
c5b2dea5fba596378d93f014b960136ba2465893fcb616b53b998754e8f39da9f10d30ee036b6ef62dd10a8a3a10e92409d4204eb5d4f061738e71a9e2ffe83f

Download Submit
memory/644-48-0x0000000000DD0000-0x0000000000E69000-memory.dmp

Filesize
612KB

Download
memory/644-46-0x0000000000DD0000-0x0000000000E69000-memory.dmp

Filesize
612KB

Download
memory/644-47-0x0000000000810000-0x0000000000812000-memory.dmp

Filesize
8KB

Download
memory/644-42-0x0000000000DD0000-0x0000000000E69000-memory.dmp

Filesize
612KB

Download
memory/644-41-0x0000000000810000-0x0000000000812000-memory.dmp

Filesize
8KB

Download
memory/644-38-0x0000000000DD0000-0x0000000000E69000-memory.dmp

Filesize
612KB

Download
memory/3980-13-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/3980-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3980-20-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/3980-40-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/3980-14-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4572-17-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/4572-0-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/4572-1-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing