urelas | fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716

General

Target

fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe
Size

338KB
MD5

088084f12e63163e5382cc480bad2e93
SHA1

c39f9b08ae68f7470c0a98dedd253a11b5bdb67c
SHA256

fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716
SHA512

80d5c748b3d6bde042fd9b343b8aed1a5ad299701e4d8c3e336970bb56bf68e50ce65b7c601d7ce83ba1ce18d3721ae61f60b5b95bf08cffc14ea7714f25b247
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoJ8:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	qawos.exe

Executes dropped EXE 2 IoCs

pid	Process
1740	qawos.exe
1332	xezog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qawos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xezog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe
1332	xezog.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1740	4560	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	86
PID 4560 wrote to memory of 1740	4560	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	86
PID 4560 wrote to memory of 1740	4560	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	86
PID 4560 wrote to memory of 2572	4560	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	87
PID 4560 wrote to memory of 2572	4560	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	87
PID 4560 wrote to memory of 2572	4560	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	87
PID 1740 wrote to memory of 1332	1740	qawos.exe	95
PID 1740 wrote to memory of 1332	1740	qawos.exe	95
PID 1740 wrote to memory of 1332	1740	qawos.exe	95

C:\Users\Admin\AppData\Local\Temp\fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe
"C:\Users\Admin\AppData\Local\Temp\fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\qawos.exe
  "C:\Users\Admin\AppData\Local\Temp\qawos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\xezog.exe
    "C:\Users\Admin\AppData\Local\Temp\xezog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e918133c5c5405da82c46289c28b9e4

SHA1
755628ad899d047c27fc2c6c8ff57c10e0c9b284

SHA256
a7080ac0fb811806b84bd13117007765850fdc2f9ab97ec9fe5a7aae07a92e92

SHA512
1fa4bbaba503a3fb314007e479abf9d30dd52a3635103f0fc829e550bee6510f34b82fe7fc6c0614d6ed02d5480f6f3246e17071843a898ceb867d2bb75bc506

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d5e1b7054e3d41b403b4638f894cf53a

SHA1
1f22c593edc3875db1eaa125738e7eaefbb52c37

SHA256
50bcc84fc9e18d3577046eba6abc3dcfef36ff8eb2462e7347c6c8419d348cda

SHA512
87d30b48ac3fb5daf1cc24bd5a791e858a8331736a26ef1971e4a6f6e25c0f3fbec51de5c251f5ea7f73b9edc293c91151cbd9684bc4e41421a8dff3d469d5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qawos.exe

Filesize
338KB

MD5
a439e48e60385fb06cc4aaee12692ce0

SHA1
8dcd1c250a2bcf23e7b633fa8883d9be4c24b4bc

SHA256
4fb4504f5151320f265fc0e13d4a91a0634121f65b8ab15f064945be1f4caf93

SHA512
85a1267c5283e52d99e64883220df49c15760021571e32559a342eff2294a7c2517ec69bab462c8deb409499117c2158be5a6b27544e9ff86024ef6caee88d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\xezog.exe

Filesize
172KB

MD5
f73798727197c4dcb4ef8a02e8dec579

SHA1
f5e32236aa96daa00ad48a9749e035cf0f755e2f

SHA256
1b8b028e83790fb3f612c9f382f230a24edaac190eac1820c5648b720bc7af88

SHA512
3c09c9109747e0a241be28d029b95eaddbdda5ae2d0abc3aedf5c567d9b5c0aab7fb0566f2420a0e7fab3fc95db3ddebf83fd3a35a6c03f0ab17ed68d574c273

Download Submit
memory/1332-48-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/1332-46-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/1332-47-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/1332-41-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/1332-39-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/1332-38-0x0000000000BE0000-0x0000000000C79000-memory.dmp

Filesize
612KB

Download
memory/1740-13-0x00000000005D0000-0x0000000000651000-memory.dmp

Filesize
516KB

Download
memory/1740-21-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1740-20-0x00000000005D0000-0x0000000000651000-memory.dmp

Filesize
516KB

Download
memory/1740-44-0x00000000005D0000-0x0000000000651000-memory.dmp

Filesize
516KB

Download
memory/1740-14-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/4560-17-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/4560-0-0x0000000000C20000-0x0000000000CA1000-memory.dmp

Filesize
516KB

Download
memory/4560-1-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing