urelas | b9a7ae2cba8c5c2f09959144b09d8ed216762c38978f49f44c2f83b299a21a1c

General

Target

NEAS.96c10ba8ee700a095fbe253355083fc0.exe
Size

551KB
MD5

96c10ba8ee700a095fbe253355083fc0
SHA1

16fc4c36459c88ab2a4eb10235cef0a6527a3b89
SHA256

b9a7ae2cba8c5c2f09959144b09d8ed216762c38978f49f44c2f83b299a21a1c
SHA512

54acfefc0c169fe29e427189b3214f91969ac777181cb0587b148957bd66a966e2c38c4306b2c3e79d23ab1e548d1ea3eaf5cc4725f8b05da5eaed2e5c8919a3
SSDEEP

12288:sdBNKTCqqwXCcdgT699+MvA+BisqYpxHtj:sLjQC+3s0t

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.96c10ba8ee700a095fbe253355083fc0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	cozor.exe

Executes dropped EXE 2 IoCs

pid	Process
1440	cozor.exe
456	ifmit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe
456	ifmit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1440	3420	NEAS.96c10ba8ee700a095fbe253355083fc0.exe	94
PID 3420 wrote to memory of 1440	3420	NEAS.96c10ba8ee700a095fbe253355083fc0.exe	94
PID 3420 wrote to memory of 1440	3420	NEAS.96c10ba8ee700a095fbe253355083fc0.exe	94
PID 3420 wrote to memory of 5040	3420	NEAS.96c10ba8ee700a095fbe253355083fc0.exe	95
PID 3420 wrote to memory of 5040	3420	NEAS.96c10ba8ee700a095fbe253355083fc0.exe	95
PID 3420 wrote to memory of 5040	3420	NEAS.96c10ba8ee700a095fbe253355083fc0.exe	95
PID 1440 wrote to memory of 456	1440	cozor.exe	111
PID 1440 wrote to memory of 456	1440	cozor.exe	111
PID 1440 wrote to memory of 456	1440	cozor.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.96c10ba8ee700a095fbe253355083fc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.96c10ba8ee700a095fbe253355083fc0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\cozor.exe
  "C:\Users\Admin\AppData\Local\Temp\cozor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\ifmit.exe
    "C:\Users\Admin\AppData\Local\Temp\ifmit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
6970e87be3e456cf907d0d07a10ff4a5

SHA1
2d3f525a995b1b2f3328750537d278258bc34d67

SHA256
4ebc73a805d3bb9a0ec6857364a6f95c400ba3ce6fe0135ebae1997f62cfbd77

SHA512
bb68a56e336896c1e687dbf65bc5c6287b576cd8c06ca7329f0adaf6265ae4cdd14586df96ab96e721d1724e90877f6c3d38b1ba31ed92b757079ccc6e6dffb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cozor.exe

Filesize
551KB

MD5
9fed3ee04c66ebac5167a33f6a138fd1

SHA1
a8143d370d745f4f1ef4b3bbd8d4bd36fb10ee8b

SHA256
f94328d11e476464761bf12bf73012da2ce13e47457bfb50bcf5c662a51db062

SHA512
8f0a02c9eeadfb7e0b94bc7acff10514f7ee64182d9e31cea6fecdb123a85c6a8bab8f4531040b4d05b377d2513960640130069948c29126a059d312ae6e136e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cozor.exe

Filesize
551KB

MD5
9fed3ee04c66ebac5167a33f6a138fd1

SHA1
a8143d370d745f4f1ef4b3bbd8d4bd36fb10ee8b

SHA256
f94328d11e476464761bf12bf73012da2ce13e47457bfb50bcf5c662a51db062

SHA512
8f0a02c9eeadfb7e0b94bc7acff10514f7ee64182d9e31cea6fecdb123a85c6a8bab8f4531040b4d05b377d2513960640130069948c29126a059d312ae6e136e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cozor.exe

Filesize
551KB

MD5
9fed3ee04c66ebac5167a33f6a138fd1

SHA1
a8143d370d745f4f1ef4b3bbd8d4bd36fb10ee8b

SHA256
f94328d11e476464761bf12bf73012da2ce13e47457bfb50bcf5c662a51db062

SHA512
8f0a02c9eeadfb7e0b94bc7acff10514f7ee64182d9e31cea6fecdb123a85c6a8bab8f4531040b4d05b377d2513960640130069948c29126a059d312ae6e136e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ec64b885ba658e1a0d973490081286f9

SHA1
744b9159e34169d14625633b9901d90819efe823

SHA256
41daea568f5ce5f6580c789c7820c8e3c44536571624ae1331dbdd0a5912749d

SHA512
d7a1acf4ec4f880c0ebf88f18e64ec81e8d5530272a71c9e0ea51d16610550f2c356531efd901d8aa7cf7e5e8720f79db839b06b47aa79bdb666543f23010b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifmit.exe

Filesize
241KB

MD5
a63307e192a6b7f5278f6e39a1d7e63f

SHA1
964aea3f1b87719c0aaed9c469e46d3b466fab4e

SHA256
dd1ae48d72ea339e7ae7a7d640b74047684066fc2741d04ae18e53efef234ea8

SHA512
fc8c456ad86a8dbb771189faaf100296d98b0a859e7061e2f9fd14dfb7a3021b0aefe13e57e33b6e775c82de5bbc30a7d7df8a3d191d27497d140717d355d2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifmit.exe

Filesize
241KB

MD5
a63307e192a6b7f5278f6e39a1d7e63f

SHA1
964aea3f1b87719c0aaed9c469e46d3b466fab4e

SHA256
dd1ae48d72ea339e7ae7a7d640b74047684066fc2741d04ae18e53efef234ea8

SHA512
fc8c456ad86a8dbb771189faaf100296d98b0a859e7061e2f9fd14dfb7a3021b0aefe13e57e33b6e775c82de5bbc30a7d7df8a3d191d27497d140717d355d2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifmit.exe

Filesize
241KB

MD5
a63307e192a6b7f5278f6e39a1d7e63f

SHA1
964aea3f1b87719c0aaed9c469e46d3b466fab4e

SHA256
dd1ae48d72ea339e7ae7a7d640b74047684066fc2741d04ae18e53efef234ea8

SHA512
fc8c456ad86a8dbb771189faaf100296d98b0a859e7061e2f9fd14dfb7a3021b0aefe13e57e33b6e775c82de5bbc30a7d7df8a3d191d27497d140717d355d2a3

Download Submit
memory/456-31-0x00000000005C0000-0x0000000000676000-memory.dmp

Filesize
728KB

Download
memory/456-30-0x00000000005C0000-0x0000000000676000-memory.dmp

Filesize
728KB

Download
memory/456-27-0x00000000005C0000-0x0000000000676000-memory.dmp

Filesize
728KB

Download
memory/456-28-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1440-17-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1440-26-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3420-0-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3420-16-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3420-7-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing