urelas | 2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04

General

Target

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Size

334KB
MD5

a52fd571b858e759fa3d71055f6eb4da
SHA1

244a27d85ea646e78cf4172f48c5dfb4ce19f676
SHA256

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04
SHA512

873b6207d64514e918c78b58d8aa287cc04253ac7304d7684f7d5a6972fd8ecce4ed14c8d07c09660b50e3599564ee7280116ba5dd3ee9d14b686c56f2e69fb6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9:vHW138/iXWlK885rKlGSekcj66ciw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2828 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

suicr.execelee.exe

pid process

2056 suicr.exe
2336 celee.exe
Loads dropped DLL 2 IoCs

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exesuicr.exe

pid process

2060 2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
2056 suicr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2828	cmd.exe

pid	process
2056	suicr.exe
2336	celee.exe

pid	process
2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
2056	suicr.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

celee.exe2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exesuicr.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	celee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suicr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

celee.exe

pid	process
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe
2336	celee.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exesuicr.exe

description	pid	process	target process
PID 2060 wrote to memory of 2056	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	suicr.exe
PID 2060 wrote to memory of 2056	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	suicr.exe
PID 2060 wrote to memory of 2056	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	suicr.exe
PID 2060 wrote to memory of 2056	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	suicr.exe
PID 2060 wrote to memory of 2828	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2060 wrote to memory of 2828	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2060 wrote to memory of 2828	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2060 wrote to memory of 2828	2060	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2056 wrote to memory of 2336	2056	suicr.exe	celee.exe
PID 2056 wrote to memory of 2336	2056	suicr.exe	celee.exe
PID 2056 wrote to memory of 2336	2056	suicr.exe	celee.exe
PID 2056 wrote to memory of 2336	2056	suicr.exe	celee.exe

C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
"C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\suicr.exe
  "C:\Users\Admin\AppData\Local\Temp\suicr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\celee.exe
    "C:\Users\Admin\AppData\Local\Temp\celee.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
20c83f80a5acec8c249db950cfc1da70

SHA1
7011eccce8a8f5f75bb918352da262a7ceedecf3

SHA256
7c238aeb10ae6f42e26b1d93b45a248da7d82b4a7f2a921497d88a224ed00d7c

SHA512
d465772a1a83ed1dce57a079966dee04e7c249d77bb53c0b9bf8b663920e8c4167da90d29f4b5d1009193f9efcda9c62f8909d90010df2d159912d19378e4de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5dd5f35f787659399f6b445dd0a7e767

SHA1
5622ef6b96c25f5f87f173dc1af2deee615cbe4d

SHA256
7ae29f091e5ca7b459788bf8570aac4822c6bb48bb8cd7a3afa89d80bfd586b1

SHA512
d604225d6bba47029da0f40a553f94aec595631b32fc518be5bc556b97d3fdc9f57a7dc5c7375288c3f286014234ca7f94980dab75f2253aa334fa0df7c0c93e

Download Submit
\Users\Admin\AppData\Local\Temp\celee.exe

Filesize
172KB

MD5
63c49a3b6e99b19b22c0d38817f128e2

SHA1
67fd45e950a338cec4020de0041d910b617ac477

SHA256
7fd87c3f7999b086007c4b8bd37df816481fa88321c9159aa0516cb0dd1ced63

SHA512
e4346cf2ae4695d9821e1cb181450e20082ce0e833847effe668760964463ec7f5272ddf8122218a7571c84d5f992b6ad1b8f932452e9dae6d89ea21c3dbbc3f

Download Submit
\Users\Admin\AppData\Local\Temp\suicr.exe

Filesize
334KB

MD5
917eb2ee7efc0e28f9e015b0e74c3e22

SHA1
1e7836a9c627257734004a128ef064abf253b711

SHA256
61aff86e078d00dd9e35a7cba6bbbe25907dd50fdde2b33036306ce4aa73e20b

SHA512
50e5c2640cd161e7d5bc557f29672a6f55ec34007464dff9a14de3021f9e5b2c877b4b6e58c07bd7b3e3da31b32238a03b758e1d960b65499cb3bf19173f4442

Download Submit
memory/2056-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2056-37-0x0000000003840000-0x00000000038D9000-memory.dmp

Filesize
612KB

Download
memory/2056-40-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2056-23-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2056-11-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2060-20-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/2060-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2060-0-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/2060-7-0x00000000024E0000-0x0000000002561000-memory.dmp

Filesize
516KB

Download
memory/2336-41-0x0000000000DE0000-0x0000000000E79000-memory.dmp

Filesize
612KB

Download
memory/2336-42-0x0000000000DE0000-0x0000000000E79000-memory.dmp

Filesize
612KB

Download
memory/2336-46-0x0000000000DE0000-0x0000000000E79000-memory.dmp

Filesize
612KB

Download
memory/2336-47-0x0000000000DE0000-0x0000000000E79000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads