urelas | 2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd

General

Target

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Size

453KB
MD5

92dbb63475ed85b64c332c1b5a4388b4
SHA1

27aff6f89f1b33c93104cc735e4fc33c5ef5f780
SHA256

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd
SHA512

69f01ad4f2754f05be3375e93e0c97eebdb24778ec225e2473456095e9fb41f6b778a454866e7573f28160b4237aeda27eda56f367a3d678634792e70aa71ada
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFB:CMpASIcWYx2U6hAJQni

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kyqoky.exe2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exefiosz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	kyqoky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fiosz.exe

Executes dropped EXE 3 IoCs

Processes:

fiosz.exekyqoky.exejudup.exe

pid process

3092 fiosz.exe
700 kyqoky.exe
1656 judup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3092	fiosz.exe
700	kyqoky.exe
1656	judup.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exekyqoky.exejudup.execmd.exe2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exefiosz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyqoky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	judup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fiosz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

judup.exe

pid	process
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe
1656	judup.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exefiosz.exekyqoky.exe

description	pid	process	target process
PID 4648 wrote to memory of 3092	4648	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	fiosz.exe
PID 4648 wrote to memory of 3092	4648	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	fiosz.exe
PID 4648 wrote to memory of 3092	4648	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	fiosz.exe
PID 4648 wrote to memory of 1620	4648	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 4648 wrote to memory of 1620	4648	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 4648 wrote to memory of 1620	4648	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 3092 wrote to memory of 700	3092	fiosz.exe	kyqoky.exe
PID 3092 wrote to memory of 700	3092	fiosz.exe	kyqoky.exe
PID 3092 wrote to memory of 700	3092	fiosz.exe	kyqoky.exe
PID 700 wrote to memory of 1656	700	kyqoky.exe	judup.exe
PID 700 wrote to memory of 1656	700	kyqoky.exe	judup.exe
PID 700 wrote to memory of 1656	700	kyqoky.exe	judup.exe
PID 700 wrote to memory of 1944	700	kyqoky.exe	cmd.exe
PID 700 wrote to memory of 1944	700	kyqoky.exe	cmd.exe
PID 700 wrote to memory of 1944	700	kyqoky.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
"C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\fiosz.exe
  "C:\Users\Admin\AppData\Local\Temp\fiosz.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\kyqoky.exe
    "C:\Users\Admin\AppData\Local\Temp\kyqoky.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Users\Admin\AppData\Local\Temp\judup.exe
      "C:\Users\Admin\AppData\Local\Temp\judup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
fbda5501e0cc5d81f18db3e932f5f92d

SHA1
561a1409b02236a4a3b8fce97cc4269bf722b5d9

SHA256
f583f215cc4b75178c1b05bed17694223aaa494b6298dc48d5971b2bcf5194ce

SHA512
932edd3e01e7b9576f1e3a1e94988cec2cef0775938d4a6ba02dbb2f48dd1d869225e5a8236c5ba4896ffd03db1cfcba7d26ae95824ae41aac1bc34f5a81019b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a52b5a348d9d3bbd9b35603d466ff6ba

SHA1
ebf33971d24a6bc26ae8b06fa9cd7dde8e6b6697

SHA256
7109f01251179a27c5285e202f6712b548446c166abe2f122d7e60a15a4d9944

SHA512
d9b99c103437527efefa8c6636bb6e100d01314b5dfd99e85503632343f3f234f643571410bb312ddfb1f3e2dfe063237e13bb220b640ba94c616e3ee4818513

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiosz.exe

Filesize
453KB

MD5
014b2cc10df05e43423f60a6d28208c3

SHA1
4fb668887d3250d3dd3439adc624b0986fb078d4

SHA256
e0dec053a4d55ff65bae9bd16de3315630866f94feb0f500d2808c248e172ddc

SHA512
d85d9bad5499967067399fc4bb6751aa37fd99ac0175cf8a796d8e11e9b805163cbe9a0684a9b923debf279b0737ce9d16b405cced8afe20a2a50c93c1d48c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1dc5f8a437d180552b767cbc76c954f9

SHA1
1ab798d663db46c815f61f68febafc35fe89c484

SHA256
674e2b5e0b9d6dfb94633285d70c81d51f60c25faaaf282f974e08fe7207332c

SHA512
82a45d100229178c4156436668ddea9b6eda34188b5eae926e7609ee093fc4b339b73e912c69d3b95c34722337281db217536ceb1d5cbe8885714a165bff3af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\judup.exe

Filesize
223KB

MD5
8d48db5fef3703ac25f0f7e1bcb369ed

SHA1
d8e8f1a5df2bab8bd470149ba3349c3e94daf050

SHA256
2481750b7db56e849dde2ce8e3d51316a55b8264d90853e8a8117ab7f8902ebf

SHA512
91a1775e2caf09990d3354a19d8d177a9b75850505830b3915b7be6ae06a66d0a10e4072ec170d8bd73693179e41788b033a84a8490d326fcf0ad58cf8f31b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyqoky.exe

Filesize
453KB

MD5
1664ff58ce76c8a02b081a00a18def48

SHA1
e1ae93482d3a5743a355e72d969fc7a88db59b86

SHA256
3e8146eb40fc47b57ca163c3555fbab4b5cdb8cd8dee7a0af265e227770fd6c3

SHA512
a720f9c19a1009cda2a3565388a2db41d30e4501976b3aa844bd89b55203d69113694617355989a050a01917fd5024ce2804b2f312bc72de05c6c067ca72442a

Download Submit
memory/700-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/700-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1656-36-0x00000000007C0000-0x0000000000860000-memory.dmp

Filesize
640KB

Download
memory/1656-41-0x00000000007C0000-0x0000000000860000-memory.dmp

Filesize
640KB

Download
memory/1656-42-0x00000000007C0000-0x0000000000860000-memory.dmp

Filesize
640KB

Download
memory/1656-43-0x00000000007C0000-0x0000000000860000-memory.dmp

Filesize
640KB

Download
memory/1656-44-0x00000000007C0000-0x0000000000860000-memory.dmp

Filesize
640KB

Download
memory/1656-45-0x00000000007C0000-0x0000000000860000-memory.dmp

Filesize
640KB

Download
memory/3092-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4648-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4648-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads