urelas | 2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83

General

Target

2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe
Size

331KB
MD5

01e0471401bc2bb7f5ecf517b1dd30b0
SHA1

b0fbf4ba25756fe66634e1f86258636dbb601ae7
SHA256

2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83
SHA512

5cb9d199f1b78d70f0c4ab08f78607a2284a1268c17e01ed4bbd1ad2574b48ebcb55de8bea312e2a2139da59a8740e602bb031983c8f8a6c2d1021acaef0e152
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYu:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	peepm.exe

Executes dropped EXE 2 IoCs

pid	Process
4508	peepm.exe
4436	vuvoy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuvoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peepm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe
4436	vuvoy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4508	4820	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe	82
PID 4820 wrote to memory of 4508	4820	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe	82
PID 4820 wrote to memory of 4508	4820	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe	82
PID 4820 wrote to memory of 2480	4820	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe	83
PID 4820 wrote to memory of 2480	4820	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe	83
PID 4820 wrote to memory of 2480	4820	2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe	83
PID 4508 wrote to memory of 4436	4508	peepm.exe	94
PID 4508 wrote to memory of 4436	4508	peepm.exe	94
PID 4508 wrote to memory of 4436	4508	peepm.exe	94

C:\Users\Admin\AppData\Local\Temp\2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe
"C:\Users\Admin\AppData\Local\Temp\2c5da73579dcb5b085c00d3f94d79f94cae4a26b0566168c480845f20acdcb83N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\peepm.exe
  "C:\Users\Admin\AppData\Local\Temp\peepm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\vuvoy.exe
    "C:\Users\Admin\AppData\Local\Temp\vuvoy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8eb438ad5a25fbb141d690acb42317fd

SHA1
6254dc48dbc67dd3d3cd2a554c1898ec0e97fb1b

SHA256
5cb4bb21b6b202ceac257752edb06a97c3f334bdd80d69144977e096645b0d06

SHA512
0ce7b0eb8ddbcfb0e990e1c4b3c2eb638696ec7413be7685c80e0325ce533d582d7c0d2a821eb3b924755abb464a3b2d9b17912aa846ddbfc5b4b5c440fa38e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d2c5b6ee95e0e36d9604971a74d9dd6d

SHA1
23f874a35fe1d97ffa263f9d32bfe7df00af370e

SHA256
f0814b94f40993784b3e48619b5af81fbd3706020c68647c1f49143101927b97

SHA512
6a5c57692e23e5cf9f6f06b518f58b16b92b349224b8f9875345753ba67e557ce2bfc9190bd031862c9c16bafc1d380723775076c6689affc8334440b6c47f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\peepm.exe

Filesize
331KB

MD5
b26412627e2212eead478acb6928fe70

SHA1
eee55642d1f2cd07e05c2c2f453ef75652c74ca3

SHA256
6a6b38b0b1b9dbe8751cea496343f86622b5c2d7cbe4897fe66d40c1f1f30e15

SHA512
771ec3e2f85460defcbe59ac377e3e0140eb6444221aecb8bda9e916e04c3404e76ec605a3a5f795528e4540a3c94dcf2f705e91810f346c29d5dc1d6c45bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuvoy.exe

Filesize
172KB

MD5
1d9585f33c0055a510a411e414549098

SHA1
6e9f7cbd1eab3314e4251881401a67d94e3030ff

SHA256
50fc644096c410b402f32a64d53a142292e35acd1280fa954f1560e878f38122

SHA512
c46c5dee459b902027bd2fa9d8c4a04e44382942df80cd12727a11ee4916b510c3908c626cd997801d8e71c0273fa6e69fac6ec8b1b6c8d9c29e9ba49167ad4f

Download Submit
memory/4436-47-0x0000000000530000-0x00000000005C9000-memory.dmp

Filesize
612KB

Download
memory/4436-46-0x0000000000530000-0x00000000005C9000-memory.dmp

Filesize
612KB

Download
memory/4436-44-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/4436-41-0x0000000000530000-0x00000000005C9000-memory.dmp

Filesize
612KB

Download
memory/4436-37-0x0000000000530000-0x00000000005C9000-memory.dmp

Filesize
612KB

Download
memory/4508-13-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/4508-21-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/4508-20-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4508-40-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/4508-14-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4820-17-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/4820-0-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/4820-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing