urelas | 2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04

General

Target

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Size

334KB
MD5

a52fd571b858e759fa3d71055f6eb4da
SHA1

244a27d85ea646e78cf4172f48c5dfb4ce19f676
SHA256

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04
SHA512

873b6207d64514e918c78b58d8aa287cc04253ac7304d7684f7d5a6972fd8ecce4ed14c8d07c09660b50e3599564ee7280116ba5dd3ee9d14b686c56f2e69fb6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9:vHW138/iXWlK885rKlGSekcj66ciw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exeazxof.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	azxof.exe

Executes dropped EXE 2 IoCs

Processes:

azxof.exeuxysa.exe

pid process

1364 azxof.exe
336 uxysa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1364	azxof.exe
336	uxysa.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

azxof.execmd.exeuxysa.exe2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxysa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

uxysa.exe

pid	process
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe
336	uxysa.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exeazxof.exe

description	pid	process	target process
PID 3892 wrote to memory of 1364	3892	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	azxof.exe
PID 3892 wrote to memory of 1364	3892	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	azxof.exe
PID 3892 wrote to memory of 1364	3892	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	azxof.exe
PID 3892 wrote to memory of 4492	3892	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 3892 wrote to memory of 4492	3892	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 3892 wrote to memory of 4492	3892	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 1364 wrote to memory of 336	1364	azxof.exe	uxysa.exe
PID 1364 wrote to memory of 336	1364	azxof.exe	uxysa.exe
PID 1364 wrote to memory of 336	1364	azxof.exe	uxysa.exe

C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
"C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\azxof.exe
  "C:\Users\Admin\AppData\Local\Temp\azxof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\uxysa.exe
    "C:\Users\Admin\AppData\Local\Temp\uxysa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
20c83f80a5acec8c249db950cfc1da70

SHA1
7011eccce8a8f5f75bb918352da262a7ceedecf3

SHA256
7c238aeb10ae6f42e26b1d93b45a248da7d82b4a7f2a921497d88a224ed00d7c

SHA512
d465772a1a83ed1dce57a079966dee04e7c249d77bb53c0b9bf8b663920e8c4167da90d29f4b5d1009193f9efcda9c62f8909d90010df2d159912d19378e4de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\azxof.exe

Filesize
334KB

MD5
7de2d97be36c651888741bd08bcdbf63

SHA1
bfa48812f2a3ac6a46c29ec8c64de8fbe473e855

SHA256
238cf6e903496e55cf67d173e4c496d77d627af9a92986f43c78deb1bb1b24be

SHA512
11be379c0b1f2431575e117814b0fc0a7d0145a56e84a4517698f7deace3c5142e0d2593c5ed99fb23d7c6ec1e9611842ef4cfd76e25d1bfd42cc55006e9728f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eaa0a4849902c1d9dd9edb5fff867a61

SHA1
6c3039fc5e6d1f46a8a108d2b1339672efd76be3

SHA256
0fb6061fac6d67d838804540d7e76fe7f6443b1046a68fe035b8028e750e7495

SHA512
2446c5b88722f20529f5f69c331cce0577208a6c1f4e04d06aa8e33837495dbb148c316e5e2dc184f58a1aff6b6616e300fba6ad92ade8b79ae26eb80e6792f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxysa.exe

Filesize
172KB

MD5
975daa932c82e2013db2bb35818d3130

SHA1
6a5708e6461ce824ac3467eccbcec3c1d09ab6ca

SHA256
e6a1986b2350715196435b09f17923ce7a2838ba41ede32d87fbb6ba8004e7a3

SHA512
702f39dc36287633e2ac62888e6c08648cd1b5eb37e29e18345cd158c511196dcb443e2cbfaa5cb3b264b6c54021b951b0314609385af7f458fc21cca654b3bd

Download Submit
memory/336-37-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/336-46-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/336-44-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/336-45-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/336-40-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/336-36-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/1364-14-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/1364-39-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/1364-19-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/1364-15-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3892-16-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/3892-0-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/3892-1-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads