urelas | 6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84

General

Target

6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
Size

335KB
MD5

1056543fddaacdaa0e7f667cfb292106
SHA1

8f3e12db65839e4546b7ebe5bd378b5fb264f3b2
SHA256

6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84
SHA512

2b720cd76f80a376d510f421bd0f2a71d76270aa1a21f8197217a9411140d7d6b855d3828cab2d9914e0cacb12c075f5b527c2b8a68429bdce254b7e44b3fb58
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIck:vHW138/iXWlK885rKlGSekcj66cid

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	totiw.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	totiw.exe
5000	roxyy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roxyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	totiw.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe
5000	roxyy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2564	2864	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	82
PID 2864 wrote to memory of 2564	2864	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	82
PID 2864 wrote to memory of 2564	2864	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	82
PID 2864 wrote to memory of 4248	2864	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	83
PID 2864 wrote to memory of 4248	2864	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	83
PID 2864 wrote to memory of 4248	2864	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	83
PID 2564 wrote to memory of 5000	2564	totiw.exe	94
PID 2564 wrote to memory of 5000	2564	totiw.exe	94
PID 2564 wrote to memory of 5000	2564	totiw.exe	94

C:\Users\Admin\AppData\Local\Temp\6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
"C:\Users\Admin\AppData\Local\Temp\6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\totiw.exe
  "C:\Users\Admin\AppData\Local\Temp\totiw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\roxyy.exe
    "C:\Users\Admin\AppData\Local\Temp\roxyy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cee2f67ee7579e9cf48fb476ed270f1d

SHA1
98b109b493a3e26f472dafe405708cdbfca22266

SHA256
d742f50e82574b5bf12f60843cb7f23c9b9f544a0ba61fa26c311039d4e4b468

SHA512
e769efe7987a586036829754a11ed5ebbead7b096727749e55c1135ec32f87043a1b515634af01fb5907f5f837f0f30da2e50131b572226a708d67b6986dcda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
11bb1e2b1ca99cb46cbdbb46de68c154

SHA1
180052416c70e65c4c09a3a15e7e6a8c1368cea7

SHA256
a920846e1fd082a8014cccb3d310450d92c713bbca2b10fe01f92b04f3528ae8

SHA512
6733a2717c3631603378ead16ca7dca6716aa6242ed6378803f6dd7292c0bf2d10af198fd526c5e2914a85bc672a4e02f3eef00ef37d43f4ac34eb42e29b1717

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxyy.exe

Filesize
172KB

MD5
f676329643e3e588c2fe186a3ef3b6b1

SHA1
2c9fdc3385c5aa6828206c1e766221f6d5c75903

SHA256
8150953898d7d7b011eee6769294fbb712bbc88e5fc15bfd5aa8320475d365e7

SHA512
98bd67509103e8ad88f92e5a02c478306dab193808e84cfe24b351dcee543427f94bcdadafb50df48084bc5e3b821c5d35591df5c45a9be794b5fccf4be311bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\totiw.exe

Filesize
335KB

MD5
1fe64c456d6fc49a2d1e65c11996df3d

SHA1
89323af0eb28571a7aab8e4a9cc2fc9dc6446958

SHA256
8e85b614ba88a8407832c135db04dc52a16494a63fefaf464be981c563c1cc3d

SHA512
f29f19d3b1570463c6519f2a29026611cc235375d48dbb0e4b0db5f08279f5a8b0501d93816814557cf3c6c6262e17cd625abd3ead1a0d3a156d8c87d1e16373

Download Submit
memory/2564-20-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/2564-21-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2564-15-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2564-12-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/2564-44-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/2864-0-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/2864-1-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2864-17-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/5000-38-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/5000-39-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/5000-40-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/5000-46-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/5000-47-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/5000-48-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing