urelas | 0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3

General

Target

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
Size

403KB
MD5

d1c773e84eeb50f6b2964cc7d94b6fdf
SHA1

e78828b1a72b9025538dd7ee15efdff12939576e
SHA256

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3
SHA512

c3c9c4aa3a7a3bb896f4939531a9f810fea888db2534ec8fb99ba4522ac283806494f92c2b2feacaa711b8e1dd1b0c5e8da2f59dfdd4d7e6cc92cbf38712e4a4
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnOA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exetapip.exejeimur.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	tapip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	jeimur.exe

Executes dropped EXE 3 IoCs

Processes:

tapip.exejeimur.exegiizm.exe

pid	Process
1560	tapip.exe
3504	jeimur.exe
3184	giizm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

jeimur.exegiizm.execmd.exe0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exetapip.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeimur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giizm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tapip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

giizm.exe

pid	Process
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe
3184	giizm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exetapip.exejeimur.exe

description	pid	Process	procid_target
PID 1608 wrote to memory of 1560	1608	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	83
PID 1608 wrote to memory of 1560	1608	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	83
PID 1608 wrote to memory of 1560	1608	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	83
PID 1608 wrote to memory of 1496	1608	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	84
PID 1608 wrote to memory of 1496	1608	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	84
PID 1608 wrote to memory of 1496	1608	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	84
PID 1560 wrote to memory of 3504	1560	tapip.exe	86
PID 1560 wrote to memory of 3504	1560	tapip.exe	86
PID 1560 wrote to memory of 3504	1560	tapip.exe	86
PID 3504 wrote to memory of 3184	3504	jeimur.exe	103
PID 3504 wrote to memory of 3184	3504	jeimur.exe	103
PID 3504 wrote to memory of 3184	3504	jeimur.exe	103
PID 3504 wrote to memory of 4836	3504	jeimur.exe	104
PID 3504 wrote to memory of 4836	3504	jeimur.exe	104
PID 3504 wrote to memory of 4836	3504	jeimur.exe	104

C:\Users\Admin\AppData\Local\Temp\0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
"C:\Users\Admin\AppData\Local\Temp\0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\tapip.exe
  "C:\Users\Admin\AppData\Local\Temp\tapip.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\jeimur.exe
    "C:\Users\Admin\AppData\Local\Temp\jeimur.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\giizm.exe
      "C:\Users\Admin\AppData\Local\Temp\giizm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cbe873fbd50b9f9ad6f04a4e337e8bd9

SHA1
49a591d641d244de660189cdb778cc7bc2ab652c

SHA256
29cf0ccf9c646138b8da8901a429c50ac20d4f488c59ce42c76f5a39d12c9a46

SHA512
99c4ccf58024c0c3328e66e7cb926342af73f7b461ee8f4a63ea234e4a240a5b6efcdcdc21462f1b68927ab3e6b9207eebbf42ec95f84ec53c3dd0769538cfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
5e07627bd48d6e730d4dbda681df74bb

SHA1
4d1a4b684280a71623adc893bd02ed41e9f9d445

SHA256
f0e523e29b75bc91b757caefbb3d38deea6856e9f6633d43d8bd98ade1ac2607

SHA512
9fe75795bd34d09828d5c7ba54c980a7d21b815c4a286aff2979726ff4c46c5a5edde24d305a2876cab833c4b20e1a6d23ceaa9544473395f50e86e463684e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\giizm.exe

Filesize
223KB

MD5
4ce9b55397877386c02cb6daa3f43779

SHA1
2c546f3a97491a0a2a92c33cc90f373ab8a44489

SHA256
9dc8fbbd79a2fe04d466b8f314fec805cbe87c45b2488624edf1ee95778fb0bc

SHA512
babce53c7228b79debb0c2a6033e51334a6ffce51a02a6476908b3a64d6a36ff138741965be738a9c00823b60535ec49794e4f9041fd8ec9c05034e423b01357

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7853615f62299e7049b133ef98118350

SHA1
d46c35e21afd8ed4b92db8b7ea2ef1e5ac7f0b8a

SHA256
0db8afe90dbe81e83dbd4987ec459e4ed8eb80b7e7e0c6fadb609c54bf076363

SHA512
49194f4109c84ac4d16090e8733629ab3e40668d7c492a206e5cbb06e2dd93ecdf149cfdcb01bcaf2a7e200b4df303663a0a3686927e23820a16d3db378b7147

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeimur.exe

Filesize
403KB

MD5
94908b2cf08ed3473498ed90aef4df12

SHA1
e485aa8b1fe0ca2474e3551d9f6f45c44de0adf3

SHA256
8ea16185c0aac907a54a85c0dddb8ef792c39ec52b53f52746052a3ec25d2038

SHA512
5c75741c8456fc301cf6c9531c2b2463efcb2a834126752216c4965146b71ed80dfac27e8e2d66c7b365830b3b55a05497175649f94cc02fb1650aa135357944

Download Submit
C:\Users\Admin\AppData\Local\Temp\tapip.exe

Filesize
403KB

MD5
f9091fa9d87bf23aba68db1063b780f6

SHA1
7bd87f550f816b02b2a2283352745f94a7590385

SHA256
c9de440bfff9a6fb8e402433f49503a8128453e4048ccbb10ff46743f5b4e10a

SHA512
cf188b0cb6029bfa3dcb6a7f4c0c30f24f32e56ebe7194889331b2dddbd01dd73901b1ec30a408ac186b96070ccdafc7955c15ab46a130b66fc52ddbcb101ddd

Download Submit
memory/1560-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1560-13-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1608-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1608-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3184-37-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/3184-42-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/3184-43-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/3504-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3504-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads