urelas | 3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124

General

Target

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
Size

537KB
MD5

b20e55b1dcce2bfa5356a84bcd9da7d9
SHA1

79e4dffeb55d8c3818ad3b8ce3c1048f9baf92ee
SHA256

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124
SHA512

dc7ac12b0c4df4d4d0d31875fce8c4e2fec5ede05cf8ffa26a2bae6e8983ccde39550535c8d9f06b0130994de5ebe96fc66a0a5d71075c2318aab92e3eb29480
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPg:q0P/k4lb2wKatg

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2348 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ceboi.exesoxod.exe

pid process

1648 ceboi.exe
2532 soxod.exe
Loads dropped DLL 2 IoCs

Processes:

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.execeboi.exe

pid process

2904 3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
1648 ceboi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2348	cmd.exe

pid	process
1648	ceboi.exe
2532	soxod.exe

pid	process
2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
1648	ceboi.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.execeboi.execmd.exesoxod.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceboi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soxod.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

soxod.exe

pid	process
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe
2532	soxod.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.execeboi.exe

description	pid	process	target process
PID 2904 wrote to memory of 1648	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	ceboi.exe
PID 2904 wrote to memory of 1648	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	ceboi.exe
PID 2904 wrote to memory of 1648	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	ceboi.exe
PID 2904 wrote to memory of 1648	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	ceboi.exe
PID 2904 wrote to memory of 2348	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	cmd.exe
PID 2904 wrote to memory of 2348	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	cmd.exe
PID 2904 wrote to memory of 2348	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	cmd.exe
PID 2904 wrote to memory of 2348	2904	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	cmd.exe
PID 1648 wrote to memory of 2532	1648	ceboi.exe	soxod.exe
PID 1648 wrote to memory of 2532	1648	ceboi.exe	soxod.exe
PID 1648 wrote to memory of 2532	1648	ceboi.exe	soxod.exe
PID 1648 wrote to memory of 2532	1648	ceboi.exe	soxod.exe

C:\Users\Admin\AppData\Local\Temp\3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
"C:\Users\Admin\AppData\Local\Temp\3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\ceboi.exe
  "C:\Users\Admin\AppData\Local\Temp\ceboi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\soxod.exe
    "C:\Users\Admin\AppData\Local\Temp\soxod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
50246892b31984ab4015a5076fcaca9a

SHA1
882bda725f7c0a959de66d3ba722344dc5aa2814

SHA256
2c8d08bfb822716eb5c40d51356621af10b57d043c97a87a93b06f27ef047651

SHA512
1697fcc1bd015d7bdbbde0230248ecd465f16acf8ea7143465f6ea326b558e1797a7e28132f374f58b360757fca57659e7f4481c926b199f712c6579442533a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5f0be8a957476653599e3422d9d6eff8

SHA1
139b53c6292b2b8a314edbef4b082842139675f8

SHA256
b9aba9d5bb7b85437d1d49baf4caf3ef8f9f2a1cb205a58261d7d1b1ccf1de94

SHA512
6d795b6b83ef2c0733520ad3e6a9e3a5bcfbe4877a5e735271420a69011d401fad6266647302a71b50176810d60ad6f1b273274868be2036e71c281c8a41065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\soxod.exe

Filesize
236KB

MD5
7aae1f9c05d004ca43e9f5509852340b

SHA1
b544630221852389853d0f30237bd965c9e83fae

SHA256
aeac801d7e2c8c45557c431734a9e01af73d14d5bb16daffca089c38704ec279

SHA512
4104171c18de7a5a9c966037d5070ce223b28bb27ff3741bd14db053db3de529e39fa8d78a4b90c3e420a5a570113fcdfa9947fdf991b8c03dec6f038561e446

Download Submit
\Users\Admin\AppData\Local\Temp\ceboi.exe

Filesize
537KB

MD5
81193f2aa80ba125df1d4660bdd5928f

SHA1
1d5a517864a139f870d15df059fee194eb4c10e3

SHA256
6d9623422322de4c3321a8af8ee546c5d7637ad439a381c3239508a6f3cd8c0f

SHA512
67f1829a4c35c5653bf261a80092e4508be5443ea461657c8789d864dc8f6c2ccc315bc20a8cb2c3e66064f036ac1395b55f59bce6afdbe41782d4125a36c708

Download Submit
memory/1648-29-0x0000000003120000-0x00000000031C3000-memory.dmp

Filesize
652KB

Download
memory/1648-30-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1648-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1648-22-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-31-0x0000000000D90000-0x0000000000E33000-memory.dmp

Filesize
652KB

Download
memory/2532-33-0x0000000000D90000-0x0000000000E33000-memory.dmp

Filesize
652KB

Download
memory/2532-34-0x0000000000D90000-0x0000000000E33000-memory.dmp

Filesize
652KB

Download
memory/2532-35-0x0000000000D90000-0x0000000000E33000-memory.dmp

Filesize
652KB

Download
memory/2532-36-0x0000000000D90000-0x0000000000E33000-memory.dmp

Filesize
652KB

Download
memory/2532-37-0x0000000000D90000-0x0000000000E33000-memory.dmp

Filesize
652KB

Download
memory/2904-21-0x00000000025F0000-0x000000000267C000-memory.dmp

Filesize
560KB

Download
memory/2904-17-0x00000000025F0000-0x000000000267C000-memory.dmp

Filesize
560KB

Download
memory/2904-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2904-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads