urelas | f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81a

General

Target

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
Size

330KB
MD5

f1e1cde1b78c3011c4d37b778f8f28e0
SHA1

1fe7cf690f5b87e656dc61d2e0855347bf511063
SHA256

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81a
SHA512

31bca1575ae095daf1fcd97dc007c839224addbc90c72435dec7557edbfa98027c2785d7fda7874fe7635c670775a2b0f8eadaed30f4ba66d9044476aba71e9a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ci1

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exenupep.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	nupep.exe

Executes dropped EXE 2 IoCs

Processes:

nupep.exezecex.exe

pid	Process
716	nupep.exe
4032	zecex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exezecex.exef8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exenupep.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zecex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nupep.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

zecex.exe

pid	Process
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe
4032	zecex.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exenupep.exe

description	pid	Process	procid_target
PID 4276 wrote to memory of 716	4276	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	88
PID 4276 wrote to memory of 716	4276	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	88
PID 4276 wrote to memory of 716	4276	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	88
PID 4276 wrote to memory of 5040	4276	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	89
PID 4276 wrote to memory of 5040	4276	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	89
PID 4276 wrote to memory of 5040	4276	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	89
PID 716 wrote to memory of 4032	716	nupep.exe	109
PID 716 wrote to memory of 4032	716	nupep.exe	109
PID 716 wrote to memory of 4032	716	nupep.exe	109

C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
"C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\nupep.exe
  "C:\Users\Admin\AppData\Local\Temp\nupep.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\zecex.exe
    "C:\Users\Admin\AppData\Local\Temp\zecex.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
3a85ad7e26b9ba614e2c31d19781c991

SHA1
3145733944a8aa72b818f8878b734efa4f3b1a3b

SHA256
785cbb203160b3f082d3b9f1d74a4463dd759228247c63b98f466aab26c7ce16

SHA512
39e6f1b31d76356cd04938b7c27bbb487aecad37a51dc05b047d4245ee479bf0bcacb5cd74152e2d30bfc97019f8de7a5084e8b210d6e620c55f5afdf2046ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
027f20a534086939be597fb38caa7172

SHA1
f518f16c7649bd6058ece05e55c6bdc1ed478d04

SHA256
6fb324478f41a027efe52fb276a1069df809a9e624a110612c8d2258416e9798

SHA512
e0d1765e90e83557711b6c3060519f959398d89c8154ef9c34c92a65b6d59897bbb2df732e7579e7ccfba60f3a54031aa27a3c8c5a278a86a99722a05527b29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nupep.exe

Filesize
330KB

MD5
5afd5330752de8b7f6a0206709778afe

SHA1
84f27199fba36f2c4ae567599d086c0c85bd0cdc

SHA256
f07c8569ff0e56df2f450207bfbe0befa0e74bb4d1cde24c6583c6d6b55353bb

SHA512
cfb803e19643cd906bbac5fb711f9cd7afda035ea2cce07d9e74f62e53028c29259902c15054850c5c7f161d954dfc0591ba4f3ea2aab1af8e117168a7b66735

Download Submit
C:\Users\Admin\AppData\Local\Temp\zecex.exe

Filesize
172KB

MD5
4645d17dced3b7956ac6a00b89a73e74

SHA1
054bcc4a6b5c6e0208f8cd0868a1a061fd983fcd

SHA256
8ccdd36b6a538440ef780722d66cdf9f49e3d9756a0bfa6ddd4297d8e40c59ac

SHA512
57a7351dd901ee40ae7854c9ce743ede85247d947f7211b48b117d10e9968f1efc276bc248a97099f87cc359e6827ed0c132c55745975fe87533f68264cd1628

Download Submit
memory/716-21-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/716-41-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/716-13-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/716-12-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/716-20-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/4032-38-0x0000000000440000-0x00000000004D9000-memory.dmp

Filesize
612KB

Download
memory/4032-39-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

Filesize
8KB

Download
memory/4032-42-0x0000000000440000-0x00000000004D9000-memory.dmp

Filesize
612KB

Download
memory/4032-47-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

Filesize
8KB

Download
memory/4032-46-0x0000000000440000-0x00000000004D9000-memory.dmp

Filesize
612KB

Download
memory/4032-48-0x0000000000440000-0x00000000004D9000-memory.dmp

Filesize
612KB

Download
memory/4276-17-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/4276-0-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/4276-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads