urelas | 67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fb

General

Target

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
Size

448KB
MD5

eab7f8c8a9a42c5880fdbf3929e15a70
SHA1

516886d2b2b05c7774c4aff0480a44f17152c79e
SHA256

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fb
SHA512

efc09439cfce232e71bc5e97586355fe59ccf9d0a4c5c9a9332c95830a08dec42c3d00d818e6a5c983c1456848638f052ce0e4aca289a9fde70caf9ace59efbd
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFb:CMpASIcWYx2U6hAJQn6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exeqekoz.exeguemky.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	qekoz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	guemky.exe

Executes dropped EXE 3 IoCs

Processes:

qekoz.exeguemky.execipoj.exe

pid process

2004 qekoz.exe
3024 guemky.exe
4336 cipoj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2004	qekoz.exe
3024	guemky.exe
4336	cipoj.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exeqekoz.execmd.exeguemky.execipoj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qekoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guemky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipoj.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

cipoj.exe

pid	process
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe
4336	cipoj.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exeqekoz.exeguemky.exe

description	pid	process	target process
PID 976 wrote to memory of 2004	976	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	qekoz.exe
PID 976 wrote to memory of 2004	976	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	qekoz.exe
PID 976 wrote to memory of 2004	976	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	qekoz.exe
PID 976 wrote to memory of 772	976	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	cmd.exe
PID 976 wrote to memory of 772	976	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	cmd.exe
PID 976 wrote to memory of 772	976	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	cmd.exe
PID 2004 wrote to memory of 3024	2004	qekoz.exe	guemky.exe
PID 2004 wrote to memory of 3024	2004	qekoz.exe	guemky.exe
PID 2004 wrote to memory of 3024	2004	qekoz.exe	guemky.exe
PID 3024 wrote to memory of 4336	3024	guemky.exe	cipoj.exe
PID 3024 wrote to memory of 4336	3024	guemky.exe	cipoj.exe
PID 3024 wrote to memory of 4336	3024	guemky.exe	cipoj.exe
PID 3024 wrote to memory of 1156	3024	guemky.exe	cmd.exe
PID 3024 wrote to memory of 1156	3024	guemky.exe	cmd.exe
PID 3024 wrote to memory of 1156	3024	guemky.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
"C:\Users\Admin\AppData\Local\Temp\67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\qekoz.exe
  "C:\Users\Admin\AppData\Local\Temp\qekoz.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\guemky.exe
    "C:\Users\Admin\AppData\Local\Temp\guemky.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\cipoj.exe
      "C:\Users\Admin\AppData\Local\Temp\cipoj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b7f65f804b7118f5213e2673b453bee6

SHA1
958c5d30075b61e3fc7080c70500eaaa2e53d849

SHA256
bda45a3c53ad32bf0c97b53d2c31e7f19b18a79108a509c1c3e13fc3282c0d2d

SHA512
4f018f1a5ad0fe0303b0496f68aae2ab90d01a75427c07c997bc432985333b81b670275b5de7b754cf83829d9f9a000e6a7ca19c3930d84607e345c0947ced88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
db605b6f1d7aa265c278831a12ca09df

SHA1
fac8b7476576df2c60dd8e1ee789e6dae4f48177

SHA256
8bdf6d1ecdffb1e722a057ece13b2e619ddb4f84b4d087314338a93f209c3273

SHA512
85068d322f1f6504c35ec4dcd1890c8ca81e9c1c543f1df9aab27bc0cc8610e2ced40a22cabc317d8fc1197ad15b3a8d8ef26cb3af5cd3753ea50f8453951c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cipoj.exe

Filesize
223KB

MD5
653a0ebed95e8bd0ffc301d76440500f

SHA1
94c69ff0bb8e1de419b39a15ea9e4672ae9c163e

SHA256
72417697bfc9a6ee89aac509f69dfcfde2efb922b12beac8118ede3332799aff

SHA512
9df720fc3f6bd5178a5d4bcf5f034d3ef6c0266ff5b45c296541e671343390a9268885220588ff91607ecc2014fbe6647a19d0de07dd13397abcfa071a3dad03

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
acc33e0b1f96007c20f78ee10d34350f

SHA1
22f7c2e32af1cadb25cc8a64186a605c12f4ff37

SHA256
f72660fc57715804d319d98fc7c8828ac6d37a9dcece4ac80308ec1da424c26b

SHA512
c3590a440a15d83e0a07e1e628e71ddcaf5d0ab3edbaf69883b18df5474861269bcf26f76563616f2cc39b75fb4cdeba77ecc46c9c3eedca3689bdd0e08f2d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\guemky.exe

Filesize
448KB

MD5
7ebbaf1cc06e7e5323bbf121e47f37f4

SHA1
d72d4c8318c499bfbc24e934a50ddd0ebaf7ae61

SHA256
9722fa5dbe5db1e28131d48e82abdfedd9d1e07ff1d76ba605d948194ec77178

SHA512
36991ac7527058a78ab321f64ec7735e34d324e19002e1a1543de1ffc0426bf1af5478b37f62943207c1b79f2821785f45a2e3c0347f01abd8ca8f3c2759e6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qekoz.exe

Filesize
448KB

MD5
3a4d31b23dafbeda458140cc4096cd18

SHA1
38a220ce4fb4a9c03f8a422b851caf713dc3460f

SHA256
5aabda6fcc4eefc9165a063711c329de4ba5e4c4eb9e13878afefed957034bd0

SHA512
f19e1b28cd6a14bf6b8b85b5bea605ee664834dfb59702b971119ad96f0ba9bdea910a941607e76400d916064b02b4f78c3a72931cf18b4eb6718524d6d2111f

Download Submit
memory/976-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/976-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2004-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3024-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3024-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4336-36-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download
memory/4336-41-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download
memory/4336-42-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads