urelas | 2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04

General

Target

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Size

334KB
MD5

a52fd571b858e759fa3d71055f6eb4da
SHA1

244a27d85ea646e78cf4172f48c5dfb4ce19f676
SHA256

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04
SHA512

873b6207d64514e918c78b58d8aa287cc04253ac7304d7684f7d5a6972fd8ecce4ed14c8d07c09660b50e3599564ee7280116ba5dd3ee9d14b686c56f2e69fb6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9:vHW138/iXWlK885rKlGSekcj66ciw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exebopyf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	bopyf.exe

Executes dropped EXE 2 IoCs

Processes:

bopyf.exefasiy.exe

pid process

752 bopyf.exe
1600 fasiy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
752	bopyf.exe
1600	fasiy.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exebopyf.execmd.exefasiy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bopyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fasiy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fasiy.exe

pid	process
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe
1600	fasiy.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exebopyf.exe

description	pid	process	target process
PID 4844 wrote to memory of 752	4844	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	bopyf.exe
PID 4844 wrote to memory of 752	4844	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	bopyf.exe
PID 4844 wrote to memory of 752	4844	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	bopyf.exe
PID 4844 wrote to memory of 4604	4844	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 4844 wrote to memory of 4604	4844	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 4844 wrote to memory of 4604	4844	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 752 wrote to memory of 1600	752	bopyf.exe	fasiy.exe
PID 752 wrote to memory of 1600	752	bopyf.exe	fasiy.exe
PID 752 wrote to memory of 1600	752	bopyf.exe	fasiy.exe

C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
"C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\bopyf.exe
  "C:\Users\Admin\AppData\Local\Temp\bopyf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\fasiy.exe
    "C:\Users\Admin\AppData\Local\Temp\fasiy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
20c83f80a5acec8c249db950cfc1da70

SHA1
7011eccce8a8f5f75bb918352da262a7ceedecf3

SHA256
7c238aeb10ae6f42e26b1d93b45a248da7d82b4a7f2a921497d88a224ed00d7c

SHA512
d465772a1a83ed1dce57a079966dee04e7c249d77bb53c0b9bf8b663920e8c4167da90d29f4b5d1009193f9efcda9c62f8909d90010df2d159912d19378e4de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bopyf.exe

Filesize
334KB

MD5
16f360f277b5f994d41641b4c9ead193

SHA1
7987bcb1abde16c0f1ac8ef496233caaffeeefd2

SHA256
ace6d192e79455327629be545263496ceaaee04fd3ea96323569de57d330882c

SHA512
33db0ce4dd6b91e91e0c378c11e5e8d3c8f10cd9b0e6b2d171a41bb32636d20d41e83114d56dc75bf34769aceafddc43b7e8095aa6fd2a2016a258774a0bffbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fasiy.exe

Filesize
172KB

MD5
a17cbc8bcecae87c3c7fed46ba671c9a

SHA1
159ac8425a0139a2e5e16aa9f9911dd527bffc78

SHA256
309cdb9a2fc82b5328b5a728066b9f3ccc36fbab806c32c159734348ad516ab7

SHA512
48c0d99c759c7f5a999f2249fa73cad95327561f6cd924472f32cc8b17a8690424436a6f3f4aca820f79b3eb789ee91dd8a39dc8d526a7603794aea8e39c6bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
68a39fa97a4acd22b288bf92b1d942f5

SHA1
4579c9aa7f4187b4eee7f1b534c2c60fcbeb260e

SHA256
c48da27441a4cbf5417805663525884e723e2c268262c9b0e2eee94b81d266cc

SHA512
f526cf234561797efa7ee214c846d7ba111a90f404d9c5494e431b6ef3de99d53b97f8d6082482d688d83d3ee056d54e15b47e7a9742872080f0aeeba62398aa

Download Submit
memory/752-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/752-44-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/752-11-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/752-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/752-20-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/1600-46-0x0000000000B20000-0x0000000000BB9000-memory.dmp

Filesize
612KB

Download
memory/1600-39-0x0000000000B20000-0x0000000000BB9000-memory.dmp

Filesize
612KB

Download
memory/1600-42-0x0000000001350000-0x0000000001352000-memory.dmp

Filesize
8KB

Download
memory/1600-41-0x0000000000B20000-0x0000000000BB9000-memory.dmp

Filesize
612KB

Download
memory/1600-47-0x0000000000B20000-0x0000000000BB9000-memory.dmp

Filesize
612KB

Download
memory/1600-48-0x0000000000B20000-0x0000000000BB9000-memory.dmp

Filesize
612KB

Download
memory/1600-49-0x0000000000B20000-0x0000000000BB9000-memory.dmp

Filesize
612KB

Download
memory/1600-50-0x0000000000B20000-0x0000000000BB9000-memory.dmp

Filesize
612KB

Download
memory/4844-17-0x0000000000500000-0x0000000000581000-memory.dmp

Filesize
516KB

Download
memory/4844-1-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4844-0-0x0000000000500000-0x0000000000581000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads