urelas | e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e

General

Target

e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
Size

393KB
MD5

73005a47e70ee59905df8dc1d81cd2df
SHA1

86273bb1e238b77f5308f67217cb9d38899a9bf4
SHA256

e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e
SHA512

d76dae54212429764bbe8309f7b73de3c5e85ff4096cc4bffe390b82ebf1469bc4133aef0fe0d8c460923e60240f0573b5f0710c3fb354706b1faad82c47fa13
SSDEEP

6144:y5SXvBoDWoyLYyzbpPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrBS:yIfBoDWoyFboU6hAJQnrS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ejjof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fykexu.exe

Executes dropped EXE 3 IoCs

pid	Process
2112	ejjof.exe
4540	fykexu.exe
3308	vehue.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fykexu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vehue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe
3308	vehue.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2112	4440	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	82
PID 4440 wrote to memory of 2112	4440	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	82
PID 4440 wrote to memory of 2112	4440	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	82
PID 4440 wrote to memory of 4280	4440	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	83
PID 4440 wrote to memory of 4280	4440	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	83
PID 4440 wrote to memory of 4280	4440	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	83
PID 2112 wrote to memory of 4540	2112	ejjof.exe	85
PID 2112 wrote to memory of 4540	2112	ejjof.exe	85
PID 2112 wrote to memory of 4540	2112	ejjof.exe	85
PID 4540 wrote to memory of 3308	4540	fykexu.exe	95
PID 4540 wrote to memory of 3308	4540	fykexu.exe	95
PID 4540 wrote to memory of 3308	4540	fykexu.exe	95
PID 4540 wrote to memory of 3180	4540	fykexu.exe	96
PID 4540 wrote to memory of 3180	4540	fykexu.exe	96
PID 4540 wrote to memory of 3180	4540	fykexu.exe	96

C:\Users\Admin\AppData\Local\Temp\e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
"C:\Users\Admin\AppData\Local\Temp\e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\ejjof.exe
  "C:\Users\Admin\AppData\Local\Temp\ejjof.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\fykexu.exe
    "C:\Users\Admin\AppData\Local\Temp\fykexu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\vehue.exe
      "C:\Users\Admin\AppData\Local\Temp\vehue.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
77c6e5622068c85905f2059b276189d6

SHA1
d5524adcbc8d3890444ca23d078820391b095219

SHA256
9f5d0cebec78e2298e46c84f246ddb9aec55e56f738eec0014e37844bbf3e3c7

SHA512
896f723cf8819457773089242d3de8846a2489a3a55fd67584ebc13617caad1eec19dd64c6e547e53725cf53f7af5f54cb24a7062dd34058e22a753695204752

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
e59bac5f1cd310a18397863769b894b9

SHA1
190928c3b9efbbc17f43e0ae2163b716dedbd63e

SHA256
395f91d954e87bb0d69016a2d9085624c41402fff84d4e783d8eef3def9f8680

SHA512
06762c398dade421620e4d5e1be4117bcce95fe0fcd97d32ad6891b6136239110264569511cbe182c6f75fe3157be30880d30ab233befd720cd2dbd777901e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejjof.exe

Filesize
394KB

MD5
ae156d883e51244c800fae5891eb27a4

SHA1
e8531c2de1f834d2d246abc791566693af41cb93

SHA256
deb97255984390e791aca78e8f30a63ee4fe11e9918b4898f5418f2938ff4f44

SHA512
89584e988c4e5e18e810ced9ebb0e55dda930e44ccb3b55ad7d606f4c96b59576124420ef247ebf3face0a7d24cb6904de5e9f4ce19a0588ef4fe1ed76c335ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\fykexu.exe

Filesize
394KB

MD5
b1871d404540bd38deb5318db15aea66

SHA1
9ecaef872b68232a911830323e335250e11b5f0e

SHA256
16016e6e6fff5f475bf117ab8ebcc81ac92b304fcd6ae683037ebb6c71c6a9d5

SHA512
0051dc7497a917da6ed4496e0fa695f752d3862cd88de8d481890c90eb669dbb368957aa40d8cbae34af762884e1ba9348f5a98db13cd0ec7712d665ad94776b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
56f18abeffed60fb960050f55a03d2d8

SHA1
56388d9cb71f480409faa5d4814b828db537f1f1

SHA256
bfaaa3df2b0582f2efc5dc0eef90994d455c2e84660efa4f8d4a8c0174406477

SHA512
9fe24da3411686a51d0b2c59273e80023ed5a21e84bb10762c6c753d921dc9859cee299ebd6fa72a766b6c5d53c9b60b76066b0ed526f95568512aebcf011f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vehue.exe

Filesize
223KB

MD5
2f084538e0f260802d203eff4dca1609

SHA1
94f09dab6d9c2c39eb84e4815a57fbed292ebfdc

SHA256
01e9db876fc042fa720b2cf726cb4398175a9d0fc0d20fac64a98f1ed45a0300

SHA512
3bf4abd5bfd0f74f047d380302b134064dc13ff3ea2be39c35bfa462562955ef57feea3b54a78bef1eb194f5fa46815655e544415d711e4e36a048af49650041

Download Submit
memory/2112-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3308-36-0x00000000004F0000-0x0000000000590000-memory.dmp

Filesize
640KB

Download
memory/3308-43-0x00000000004F0000-0x0000000000590000-memory.dmp

Filesize
640KB

Download
memory/3308-42-0x00000000004F0000-0x0000000000590000-memory.dmp

Filesize
640KB

Download
memory/4440-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4440-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4540-39-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4540-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4540-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing