urelas | 00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71

General

Target

00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe
Size

336KB
MD5

5b6f90438f5b1e6310e8b2e2defd3b70
SHA1

f05d56b3033c00acb4d4b1fd185f6a51609edb2c
SHA256

00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71
SHA512

34bfa93b039e3ae68ff8559cfde5a536f90e271d8354c07d4d6f6df16afcb1e1b03e36238f06b82eed788d96b7f22b976831876d1922d602bfecd9fea101a51d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKofQ:vHW138/iXWlK885rKlGSekcj66ciF

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	atdab.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	atdab.exe
5108	picit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	picit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atdab.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe
5108	picit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2308	5008	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe	82
PID 5008 wrote to memory of 2308	5008	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe	82
PID 5008 wrote to memory of 2308	5008	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe	82
PID 5008 wrote to memory of 3412	5008	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe	83
PID 5008 wrote to memory of 3412	5008	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe	83
PID 5008 wrote to memory of 3412	5008	00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe	83
PID 2308 wrote to memory of 5108	2308	atdab.exe	94
PID 2308 wrote to memory of 5108	2308	atdab.exe	94
PID 2308 wrote to memory of 5108	2308	atdab.exe	94

C:\Users\Admin\AppData\Local\Temp\00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe
"C:\Users\Admin\AppData\Local\Temp\00beca69e33195437c35687cc54718329808df1d36cc982b1a253dea14998d71N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\atdab.exe
  "C:\Users\Admin\AppData\Local\Temp\atdab.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\picit.exe
    "C:\Users\Admin\AppData\Local\Temp\picit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
758723cbe06bbdab92d388cd053583dc

SHA1
bc82a8ba474d69530d2d82ebdaf601a16ded86d9

SHA256
5fede1a7ed6e11fe49824c4451022ca3dacb37792d6ba9cca8b3f8997fb7a35f

SHA512
e4f1f7fdc62b23a8470db2e95103920e8778743951e591e11aa5653f17e737a89c92c918dcafa408efd932598f5d6d3675fc0eeb48242f043bb427aee6cf1f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\atdab.exe

Filesize
336KB

MD5
fac9b72a70522478f6d3942493400440

SHA1
aac43f58541435b200df53eacdde9597d0f55026

SHA256
ec5c9f5ff68d421daa40bb6616f1c64f9852f00d81918a04b6af6d4fe9216ce4

SHA512
3489bc13943c759d882218b87871721609e7ae720a27781aa6a770a456ba1d5fb866412e446384983809726daab9792ad5f7106b079b92f9f7b6035bebec7c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8960ea28794f126bf869f31ccc240ca0

SHA1
0d3e86765f5370768a4ffb29b5ae32925f141a7c

SHA256
040156515ce1a9c5c2ee19d55497a908ac6706cb4ab0f81bffe1ad29146fa3ad

SHA512
15c0d8d723b19d8b15fe0673f9f7b8cb163be5df5c9bd6d27f258a299b92efd479688163bcba70e9c015c70618bc1dac6b4f34aa324f3e02e4afb748affffb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\picit.exe

Filesize
172KB

MD5
28df2b466482c2a6ec0a853aa49673c1

SHA1
2fad9b71e2b1148b5cb1255ba02dad58a7e964c5

SHA256
2d2a753300b9d8599e2a1b75819c91b41e2255a1580f8124bf85b220c8afe111

SHA512
ae2a9747e96ba1077054961129796356343434e5b6fd4cb36ef55ffc0008af1070e84f26bb198ab6d60b99515c5a37cce1c312c92e866adae1e54244bf1e06ec

Download Submit
memory/2308-20-0x0000000000800000-0x0000000000881000-memory.dmp

Filesize
516KB

Download
memory/2308-21-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2308-14-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2308-11-0x0000000000800000-0x0000000000881000-memory.dmp

Filesize
516KB

Download
memory/2308-44-0x0000000000800000-0x0000000000881000-memory.dmp

Filesize
516KB

Download
memory/5008-0-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/5008-1-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/5008-17-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/5108-38-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/5108-39-0x0000000000D00000-0x0000000000D02000-memory.dmp

Filesize
8KB

Download
memory/5108-40-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/5108-46-0x0000000000D00000-0x0000000000D02000-memory.dmp

Filesize
8KB

Download
memory/5108-47-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download
memory/5108-48-0x0000000000730000-0x00000000007C9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing