urelas | 2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596

General

Target

2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe
Size

332KB
MD5

a375c594a60d55f023e637ef9a2449a8
SHA1

c2d67e9b8116c42ab86328c04c417449a4ac72f1
SHA256

2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596
SHA512

cfbacec71da430e56429b2986ed4b0d2ea44271f86c442632d9df03c27d14484bf3a821c056cbc938bb3ed7baa18e7ca3bea95ed9eb372248f717c4fb965c979
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVs:vHW138/iXWlK885rKlGSekcj66ciEVs

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2832	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

puqom.exeopepd.exe

pid	Process
2804	puqom.exe
2584	opepd.exe

Loads dropped DLL 2 IoCs

Processes:

2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exepuqom.exe

pid	Process
1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe
2804	puqom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeopepd.exe2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exepuqom.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puqom.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

opepd.exe

pid	Process
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe
2584	opepd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exepuqom.exe

description	pid	Process	procid_target
PID 1976 wrote to memory of 2804	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	30
PID 1976 wrote to memory of 2804	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	30
PID 1976 wrote to memory of 2804	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	30
PID 1976 wrote to memory of 2804	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	30
PID 1976 wrote to memory of 2832	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	31
PID 1976 wrote to memory of 2832	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	31
PID 1976 wrote to memory of 2832	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	31
PID 1976 wrote to memory of 2832	1976	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	31
PID 2804 wrote to memory of 2584	2804	puqom.exe	34
PID 2804 wrote to memory of 2584	2804	puqom.exe	34
PID 2804 wrote to memory of 2584	2804	puqom.exe	34
PID 2804 wrote to memory of 2584	2804	puqom.exe	34

C:\Users\Admin\AppData\Local\Temp\2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe
"C:\Users\Admin\AppData\Local\Temp\2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\puqom.exe
  "C:\Users\Admin\AppData\Local\Temp\puqom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\opepd.exe
    "C:\Users\Admin\AppData\Local\Temp\opepd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7b8fb9d07fe55c30355b4de70cf9c0f2

SHA1
822d0c4e4bc01eb1d4ebc1485adfe47d5ef1056c

SHA256
c6912b9e2a37a70663ae7b845acc8bbb9cd2f22af1997b867bc245763d43a4c1

SHA512
620ce99e6c94ba269737d2081fc09933bdc571e691e30367dec1f522c46c3e972b7a950ac43b2fa9323f4d6ecfc1391360461e557d3d5289297d1b68fa6732de

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f4965aaaa7628115e5c6829d04e8ea72

SHA1
378c8fe9ebff55d84b257beb4ac263282b3121f7

SHA256
3e0eea5ab562edc2fa753061003431b048c5f0ab33cd29ded250d55b00d03c65

SHA512
d108cf499e0181a840b4e4e38279b9e464aebfeea4ea53c6a8b154f4e6ca9c02446eac26969dc4275981acf43b36a3ac08279d0ceaa449712323aed1209f89aa

Download Submit
\Users\Admin\AppData\Local\Temp\opepd.exe

Filesize
172KB

MD5
d7c61e3e12383912db08bd6f0ada9080

SHA1
d31c25e5a9627bf37891734c19074dfc8c36aa13

SHA256
198425c9cfad849db4b6d5c2f4b5df9e7b4463017899afe4f8a10a43995890c8

SHA512
ccef22847fb41dc670bfde09d6a83c4a2af4dbdb8161d7e3865d2168835664c51c4f504ac9612e3a969096eb6e327b74b1a1af2961b88758ffe8056572ff48ae

Download Submit
\Users\Admin\AppData\Local\Temp\puqom.exe

Filesize
332KB

MD5
312419f2fe392ef3a4f85be02791af19

SHA1
e04bef4a4a23205b2a7c118a4150701d94e308f9

SHA256
477e884aa4266e04fbbf949d1bc437b6703677e55291fedc2fdc8964756967cd

SHA512
10f1677d68a12fcc765d6cf66947f01540fc446d7cd01bdd7cd40ee7205404fbc006afd957bcaf83808d8ee2571ada514f1b6b0ec7e45eb9124bc840bd21c19a

Download Submit
memory/1976-0-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/1976-9-0x0000000002450000-0x00000000024D1000-memory.dmp

Filesize
516KB

Download
memory/1976-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1976-20-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/2584-41-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/2584-47-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/2584-46-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/2584-42-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/2804-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2804-40-0x0000000000DD0000-0x0000000000E51000-memory.dmp

Filesize
516KB

Download
memory/2804-37-0x0000000002360000-0x00000000023F9000-memory.dmp

Filesize
612KB

Download
memory/2804-23-0x0000000000DD0000-0x0000000000E51000-memory.dmp

Filesize
516KB

Download
memory/2804-11-0x0000000000DD0000-0x0000000000E51000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads