urelas | 1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddef

General

Target

1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe
Size

336KB
MD5

63112463c8d44d312cded96e7f033800
SHA1

f48c48882f0d5348f6e99a27599efbaf5e80d9e1
SHA256

1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddef
SHA512

f514ec1c8070105d5cfdc38249bec80689d18405004e55b8431c3eec1c52c1e5bd4ff7a94d109b15b66c30765c442f9442a6cfcf857830d7f2275086edc7e309
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrE:vHW138/iXWlK885rKlGSekcj66ci+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	runae.exe

Executes dropped EXE 2 IoCs

pid	Process
4756	runae.exe
4772	zurib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zurib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runae.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe
4772	zurib.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 4756	1104	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	83
PID 1104 wrote to memory of 4756	1104	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	83
PID 1104 wrote to memory of 4756	1104	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	83
PID 1104 wrote to memory of 2144	1104	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	84
PID 1104 wrote to memory of 2144	1104	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	84
PID 1104 wrote to memory of 2144	1104	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	84
PID 4756 wrote to memory of 4772	4756	runae.exe	103
PID 4756 wrote to memory of 4772	4756	runae.exe	103
PID 4756 wrote to memory of 4772	4756	runae.exe	103

C:\Users\Admin\AppData\Local\Temp\1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe
"C:\Users\Admin\AppData\Local\Temp\1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\runae.exe
  "C:\Users\Admin\AppData\Local\Temp\runae.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\zurib.exe
    "C:\Users\Admin\AppData\Local\Temp\zurib.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
95c44f9233f0346622bc11e74db7f597

SHA1
74cf4f152b9b6ba29fc863f725f10a9bf58751ef

SHA256
48018e359e9c91751e1d29a242bdc48d01703d13412dd5f5badc7c9787090613

SHA512
14b452fa1d4a82c94908216cdc8963cc43b7b2cb0ce93ce3e38e730180e2684258eb89891565734036e8fb315ed9f7db5433da5680f725d0b05e22e88c2f95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e27d2c0fb335b79b3456a343b4a1c9d2

SHA1
12f85504e488f1ceecd509b539d6d7bbf38a4e13

SHA256
3040730311f247f9c51d400095dddab6b32b6aae8805ab12a28b22651f8a2f30

SHA512
00c2d96a184b696ee02dc5b0047e199399293b59b4f1c39e0fccd8282eea88a1a7305eff33a5cff0b7d6e461fa23dd05c3fc45014480b407a6a0a53975c09937

Download Submit
C:\Users\Admin\AppData\Local\Temp\runae.exe

Filesize
336KB

MD5
5108efaccbaa96bdb04be2ba32f2deaa

SHA1
84c4a3c6756b57759924ffd9d972107d6c294849

SHA256
d00c6d022381b8dc7bbf1fa33396a0f0390471a01893f5b751bd936d2983e8e0

SHA512
d1b09d56ea88da635614f5f07732de237a3d2b1c0476a95387cb60a88e117b6092d0e1d2ddb15c92942d9361bccd7bbc91360ebad67d2ecf2d42f5f7f476c9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zurib.exe

Filesize
172KB

MD5
a0d63a59b69bce379400dba864bea697

SHA1
526c1685b61c4f0871e584a6fc23927cc39fe35d

SHA256
415e66020a4d5d293a688828aca45b56860686a45eb984b34285c90485031923

SHA512
40868892bd43725fe7ba889365de51adec99acb2e3f5b553a7f511f26db37af9cfcafaa2071ab521443a1a15a789098f4ed22c3176bc95eccdf56d3e255b4305

Download Submit
memory/1104-1-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1104-0-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/1104-16-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/4756-19-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/4756-14-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4756-11-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/4756-42-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/4772-39-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4772-37-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/4772-36-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4772-44-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/4772-45-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download
memory/4772-46-0x0000000000F60000-0x0000000000FF9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing