urelas | 3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124

General

Target

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
Size

537KB
MD5

b20e55b1dcce2bfa5356a84bcd9da7d9
SHA1

79e4dffeb55d8c3818ad3b8ce3c1048f9baf92ee
SHA256

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124
SHA512

dc7ac12b0c4df4d4d0d31875fce8c4e2fec5ede05cf8ffa26a2bae6e8983ccde39550535c8d9f06b0130994de5ebe96fc66a0a5d71075c2318aab92e3eb29480
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPg:q0P/k4lb2wKatg

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exewycyt.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wycyt.exe

Executes dropped EXE 2 IoCs

Processes:

wycyt.exegogim.exe

pid	Process
1968	wycyt.exe
2008	gogim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exewycyt.execmd.exegogim.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wycyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gogim.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

gogim.exe

pid	Process
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe
2008	gogim.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exewycyt.exe

description	pid	Process	procid_target
PID 2804 wrote to memory of 1968	2804	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	82
PID 2804 wrote to memory of 1968	2804	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	82
PID 2804 wrote to memory of 1968	2804	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	82
PID 2804 wrote to memory of 3608	2804	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	83
PID 2804 wrote to memory of 3608	2804	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	83
PID 2804 wrote to memory of 3608	2804	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	83
PID 1968 wrote to memory of 2008	1968	wycyt.exe	94
PID 1968 wrote to memory of 2008	1968	wycyt.exe	94
PID 1968 wrote to memory of 2008	1968	wycyt.exe	94

C:\Users\Admin\AppData\Local\Temp\3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
"C:\Users\Admin\AppData\Local\Temp\3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\wycyt.exe
  "C:\Users\Admin\AppData\Local\Temp\wycyt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\gogim.exe
    "C:\Users\Admin\AppData\Local\Temp\gogim.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
50246892b31984ab4015a5076fcaca9a

SHA1
882bda725f7c0a959de66d3ba722344dc5aa2814

SHA256
2c8d08bfb822716eb5c40d51356621af10b57d043c97a87a93b06f27ef047651

SHA512
1697fcc1bd015d7bdbbde0230248ecd465f16acf8ea7143465f6ea326b558e1797a7e28132f374f58b360757fca57659e7f4481c926b199f712c6579442533a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gogim.exe

Filesize
236KB

MD5
6747277e3eb011b96f7664db8a35e2b7

SHA1
8c7a7d4246fd6bf8e0c986566510a43f9e235f03

SHA256
b0ea677028a4fc97f1ea66b5c76d2ca802107062f02db71b81bb03b6dbb73a10

SHA512
c172fc05d8b4594c2e7876894fdc2053a662c78d01eaaef3504f0e3405d32c509b473e9ae34732478326b3560fb7715344502774057669b3b99c3a3b888ef17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
88a8b8068999d5cad755db072f0e8cc4

SHA1
6618c117c64556b0ad1d511c8201e8ad786b411a

SHA256
8e8cb95e626787f06bcc0d4895fda71dadf582bc7728b198c1033723e636776f

SHA512
880ae796bb08acef13f975906c44854da1ed22dad63ecdfc527ac08467d156398e233611df07296c506af81da8aad522b181e8fe6d756c53875b0fed3d209d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wycyt.exe

Filesize
537KB

MD5
79e9444c2af72b616d387fd26782a300

SHA1
9d14978943629c314565288e85cb7b2cd21c072e

SHA256
088cc8b9dccd1de693909fadbaec82abb4fad31d19a1885ed1f6e0f1da48dc69

SHA512
a8f9c04e77fef46d525122596a8e8a77087aff148b0b8250ca66c025af67b014b77ab44bd18e54eeac6f92efe91b8340e5ed2c739c15402a743990c36d0dd5a6

Download Submit
memory/1968-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1968-25-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2008-26-0x0000000000500000-0x00000000005A3000-memory.dmp

Filesize
652KB

Download
memory/2008-27-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2008-29-0x0000000000500000-0x00000000005A3000-memory.dmp

Filesize
652KB

Download
memory/2008-30-0x0000000000500000-0x00000000005A3000-memory.dmp

Filesize
652KB

Download
memory/2804-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2804-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads