urelas | 2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851e

General

Target

2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe
Size

334KB
MD5

56ab5b6ddbcd5b119c7ad028db7df480
SHA1

ee8b233b1f7a6cc3cb4b8d06dad01f8ff1a90822
SHA256

2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851e
SHA512

d63d76b5cfe18645213025cff3515827712403808779880758b539fc981450786aa3a3392009e9b8b641a8fa8ba70a03f70f0714f68b4960ba158f0afa326f25
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw6:vHW138/iXWlK885rKlGSekcj66ciV6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exebukot.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bukot.exe

Executes dropped EXE 2 IoCs

Processes:

bukot.execusuc.exe

pid process

4228 bukot.exe
3592 cusuc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4228	bukot.exe
3592	cusuc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bukot.execmd.execusuc.exe2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bukot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cusuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

cusuc.exe

pid	process
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe
3592	cusuc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exebukot.exe

description	pid	process	target process
PID 1604 wrote to memory of 4228	1604	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	bukot.exe
PID 1604 wrote to memory of 4228	1604	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	bukot.exe
PID 1604 wrote to memory of 4228	1604	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	bukot.exe
PID 1604 wrote to memory of 3988	1604	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	cmd.exe
PID 1604 wrote to memory of 3988	1604	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	cmd.exe
PID 1604 wrote to memory of 3988	1604	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	cmd.exe
PID 4228 wrote to memory of 3592	4228	bukot.exe	cusuc.exe
PID 4228 wrote to memory of 3592	4228	bukot.exe	cusuc.exe
PID 4228 wrote to memory of 3592	4228	bukot.exe	cusuc.exe

C:\Users\Admin\AppData\Local\Temp\2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe
"C:\Users\Admin\AppData\Local\Temp\2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\bukot.exe
  "C:\Users\Admin\AppData\Local\Temp\bukot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\cusuc.exe
    "C:\Users\Admin\AppData\Local\Temp\cusuc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b166fc0e40859275e71e238917ddc375

SHA1
4c3de091a0e6fee9e2eff052568ab606c7cf8909

SHA256
a60cf0d9ee4e78840c9751dbd43228557d0fa9aad9b012a780b2bcdcccbbf25f

SHA512
27b05706dcebeae451cae77a7f2adfb968a1d79861eec31bb76f6d3b060c977ac59ec931cf928e408680bdffcb336dbd2ecf7eed9f70dc3f6af0b112562b1037

Download Submit
C:\Users\Admin\AppData\Local\Temp\bukot.exe

Filesize
334KB

MD5
366503042b84445cf24416a0f1c7bf6f

SHA1
0b28f63d2fd86c9f7f0b7be8e2e8fc51bb87880e

SHA256
1f135bbb92fb2354e8bde31ccdba0b70df449f3462a5ae462c1be4ee039bdd51

SHA512
494fc6ff201d13e4c1a512a6b44b8fa9ff7d435708fdd23c9c4effedc9918b97a16e443f7d73777b2ae395fda83e95e10cc7649fae0c14bf698dd3324c48f67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cusuc.exe

Filesize
172KB

MD5
6413e28523d2a1159c1145280417b997

SHA1
026cfbcfbafdbd23b763c451aabed0ae90f00edc

SHA256
ed9bdcbf2c3a2a8ba3c0e993bbc0523c9f159ff1c81bce66074152073e803482

SHA512
c40e5c4aa4c1d725e863ee847d519fa43a206d98c906fb20f852f29e378915ba3a4ac4e74c2a9c0e47c0895e8b26754d46916f27824bc035844bb7525c9c1d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d826ff35d70635db65af3a7fb676346a

SHA1
f6fe063a7de627e4bfbd43d8a760f65994916ba5

SHA256
0fff295e75d64b1e33e92dfc60987b6f7fcc2925ec2c865875453d79fec22378

SHA512
0ea3e4b4e3a0f2807564243ba3dc896dbc3c8a05cfa4171d1f59553d31df218ecd166ac1888abe5c7b03cfc22c4f320bda60eb2cbe4dbab097fb684e3ac5eebd

Download Submit
memory/1604-0-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/1604-16-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/1604-1-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3592-46-0x0000000000A70000-0x0000000000B09000-memory.dmp

Filesize
612KB

Download
memory/3592-44-0x0000000000A70000-0x0000000000B09000-memory.dmp

Filesize
612KB

Download
memory/3592-40-0x0000000000A70000-0x0000000000B09000-memory.dmp

Filesize
612KB

Download
memory/3592-36-0x0000000000A70000-0x0000000000B09000-memory.dmp

Filesize
612KB

Download
memory/3592-45-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/3592-39-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/4228-13-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/4228-38-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/4228-19-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/4228-14-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads