urelas | 249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a

General

Target

249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
Size

338KB
MD5

8fb501ac698176feeaad15399c91510a
SHA1

9a014a3714a46134c2fd5671d2aea4a673a793b3
SHA256

249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a
SHA512

1c0b3ccf41d2c39b8fb354379cf3fe00c652a1f79dd7bdaa563862d06a879ca66fbfe4334bf7c6ea5b4458f9b5f43068ddd7f096e9c1f7dc326a4e66c6017432
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKogA:vHW138/iXWlK885rKlGSekcj66cis

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	bovoi.exe

Executes dropped EXE 2 IoCs

pid	Process
4984	bovoi.exe
3068	liwii.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bovoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liwii.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe
3068	liwii.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4984	3564	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	83
PID 3564 wrote to memory of 4984	3564	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	83
PID 3564 wrote to memory of 4984	3564	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	83
PID 3564 wrote to memory of 3996	3564	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	84
PID 3564 wrote to memory of 3996	3564	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	84
PID 3564 wrote to memory of 3996	3564	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	84
PID 4984 wrote to memory of 3068	4984	bovoi.exe	104
PID 4984 wrote to memory of 3068	4984	bovoi.exe	104
PID 4984 wrote to memory of 3068	4984	bovoi.exe	104

C:\Users\Admin\AppData\Local\Temp\249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
"C:\Users\Admin\AppData\Local\Temp\249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Users\Admin\AppData\Local\Temp\bovoi.exe
  "C:\Users\Admin\AppData\Local\Temp\bovoi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\liwii.exe
    "C:\Users\Admin\AppData\Local\Temp\liwii.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
67519008b2bb6235a76f364f6e7e5356

SHA1
2099c9a9938a5f36b57de23c20871dac8e9d7139

SHA256
a3fac6cfb9773b7a17bdf4bf3a010d840ab495681df5dd7bef30a6288cab331e

SHA512
07592b54f71e2d8a4e31b0c7041a27a6acc29cbb3d35f43220eb08abd1dfcd05c2e8ca8f207ccce0970eb03c3cfff20740105af4458b8d7f8a8fde6d2979bf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\bovoi.exe

Filesize
338KB

MD5
0d720405c2ed7d70c56e8d0f3319ea8d

SHA1
009f9e591cae5333d777cecf7a603f498a01747f

SHA256
626f4a6eb34d5474c105c7e5f4633044314677dc18c2c76d2b5f46a90b734b0f

SHA512
4c74f0bcd5902a678eddeeff92dff4ee2e72e7b8cecfb9877538b869a628603a0d79c41f7b4f4bd6a8dbef0b913020e7e6fdbcf1dc1c334e6660d6281a9b13b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e3a0b85ee0a1b2dbeb66b85baa6f9b8b

SHA1
3679cd9642c6dea6a9489f6a37551c23b8fcce1d

SHA256
82304175aac4ce9e188090997baa97f727daafcf2850b93068dc745846eeb2f2

SHA512
cfaccd31e0e193fb199e28b7bdce432000d1d41fc3793be4dddcd54a45beedd06257b594654dd3d01f2a6adb48427f44ab5380678cdd2257a6bd2ebe2ad987f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwii.exe

Filesize
172KB

MD5
ad13c579ef32b402c406ce06cf87f7d4

SHA1
2021ad3dcb60ef6bb92377cfb285b994d21e049d

SHA256
ccabd6a8106602cbb0089932e1e8926f3f873c46bf07f3c5499b29108db9c268

SHA512
c032882fa8e26cace7027672717f1cea952f06c381e38700634be5e86dd4fd57c25efa25da275c1530438e1eff13702f6085c3bb17fc259786ac06a83ed25221

Download Submit
memory/3068-46-0x0000000000420000-0x00000000004B9000-memory.dmp

Filesize
612KB

Download
memory/3068-37-0x0000000000420000-0x00000000004B9000-memory.dmp

Filesize
612KB

Download
memory/3068-45-0x0000000000420000-0x00000000004B9000-memory.dmp

Filesize
612KB

Download
memory/3068-44-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/3068-39-0x0000000000420000-0x00000000004B9000-memory.dmp

Filesize
612KB

Download
memory/3068-38-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/3564-16-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/3564-0-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/3564-1-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4984-14-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4984-42-0x0000000000590000-0x0000000000611000-memory.dmp

Filesize
516KB

Download
memory/4984-20-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4984-19-0x0000000000590000-0x0000000000611000-memory.dmp

Filesize
516KB

Download
memory/4984-11-0x0000000000590000-0x0000000000611000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing