urelas | 2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596

General

Target

2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe
Size

332KB
MD5

a375c594a60d55f023e637ef9a2449a8
SHA1

c2d67e9b8116c42ab86328c04c417449a4ac72f1
SHA256

2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596
SHA512

cfbacec71da430e56429b2986ed4b0d2ea44271f86c442632d9df03c27d14484bf3a821c056cbc938bb3ed7baa18e7ca3bea95ed9eb372248f717c4fb965c979
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVs:vHW138/iXWlK885rKlGSekcj66ciEVs

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	gixof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe

Executes dropped EXE 2 IoCs

pid	Process
3636	gixof.exe
2392	beepo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gixof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beepo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe
2392	beepo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3636	4912	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	87
PID 4912 wrote to memory of 3636	4912	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	87
PID 4912 wrote to memory of 3636	4912	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	87
PID 4912 wrote to memory of 4480	4912	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	88
PID 4912 wrote to memory of 4480	4912	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	88
PID 4912 wrote to memory of 4480	4912	2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe	88
PID 3636 wrote to memory of 2392	3636	gixof.exe	99
PID 3636 wrote to memory of 2392	3636	gixof.exe	99
PID 3636 wrote to memory of 2392	3636	gixof.exe	99

C:\Users\Admin\AppData\Local\Temp\2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe
"C:\Users\Admin\AppData\Local\Temp\2c97d07e0a67cecf264dabe0050159919485b35c446663f7acdb52976faed596.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\gixof.exe
  "C:\Users\Admin\AppData\Local\Temp\gixof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\beepo.exe
    "C:\Users\Admin\AppData\Local\Temp\beepo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7b8fb9d07fe55c30355b4de70cf9c0f2

SHA1
822d0c4e4bc01eb1d4ebc1485adfe47d5ef1056c

SHA256
c6912b9e2a37a70663ae7b845acc8bbb9cd2f22af1997b867bc245763d43a4c1

SHA512
620ce99e6c94ba269737d2081fc09933bdc571e691e30367dec1f522c46c3e972b7a950ac43b2fa9323f4d6ecfc1391360461e557d3d5289297d1b68fa6732de

Download Submit
C:\Users\Admin\AppData\Local\Temp\beepo.exe

Filesize
172KB

MD5
2a1cd4fd162bb31b86059b167ac00614

SHA1
b3a24abb92323726873fa04192b6db8fc7d38496

SHA256
89fbab8c1a41baced48cbf04c3e6ed990392c21cd84fb26ac68d980b9ff5adcb

SHA512
7eae5ef7171046f90f9dd67df2db37d3dd8b5a124b2f648a151b40320594e8a1823b93f62cca9ab157c73492ff866c3975b5f1f1d46e5b85242ad07c38b61357

Download Submit
C:\Users\Admin\AppData\Local\Temp\gixof.exe

Filesize
332KB

MD5
d069590c4584189bce8234aa735a0066

SHA1
93e72ed06fe74d3f8f56f8af0f994f035c98e420

SHA256
93401f60f03062224bc2f703c12985a9c8dffe92a81b45aa3f6f408b02230a92

SHA512
7b4ba8030b28d80b82095d92fbed2a64e0ce4614e6443872d8c9de16a23e49a2d95d0768ad7a63d0d374a96166a822066454bdb342e2a5d8485cd654517ae636

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9fa4766b5cf5fe46c43d7e125308f7ed

SHA1
d3cf2b666be5d14cd532d2f433efd60e10d152cc

SHA256
aa0c45fc199926b87e924f508541e5e038c1d965a3dcfdb17f5dae91e3e6b9bf

SHA512
c336c2a73b117158c8250268ba58cddabdadb1f3810312fa684469928136679adbf26c74d6c5755fe6b93c25c7eaf746718614bf52da21187df3f5f6a36c3537

Download Submit
memory/2392-47-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/2392-46-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/2392-45-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/2392-37-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/2392-40-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/2392-38-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/3636-43-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/3636-20-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3636-19-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/3636-11-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/3636-14-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4912-0-0x0000000000770000-0x00000000007F1000-memory.dmp

Filesize
516KB

Download
memory/4912-16-0x0000000000770000-0x00000000007F1000-memory.dmp

Filesize
516KB

Download
memory/4912-1-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing