urelas | 4644517d2806702549b846419b6535fe1f921619f9d1beed5227b46417e97880

General

Target

1c7b51fc42a4cb6f04c7bcad06152d3a.exe
Size

536KB
MD5

1c7b51fc42a4cb6f04c7bcad06152d3a
SHA1

087011b2bdbe8ad0a2486fbb5c0f6817259dc785
SHA256

4644517d2806702549b846419b6535fe1f921619f9d1beed5227b46417e97880
SHA512

54ae9f8dbb6f3d5da6c88edbec1f3608160a6c6ddcba30f55a106d2c59be0f8751f5297bbcaa5e24794ef2e24e4aa593154967838767815cbdf67850d359af45
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPd:q0P/k4lb2wKatd

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	nihis.exe
2152	ufsio.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe
2116	nihis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe
2152	ufsio.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2116	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	28
PID 2212 wrote to memory of 2116	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	28
PID 2212 wrote to memory of 2116	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	28
PID 2212 wrote to memory of 2116	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	28
PID 2212 wrote to memory of 2828	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	29
PID 2212 wrote to memory of 2828	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	29
PID 2212 wrote to memory of 2828	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	29
PID 2212 wrote to memory of 2828	2212	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	29
PID 2116 wrote to memory of 2152	2116	nihis.exe	33
PID 2116 wrote to memory of 2152	2116	nihis.exe	33
PID 2116 wrote to memory of 2152	2116	nihis.exe	33
PID 2116 wrote to memory of 2152	2116	nihis.exe	33

C:\Users\Admin\AppData\Local\Temp\1c7b51fc42a4cb6f04c7bcad06152d3a.exe
"C:\Users\Admin\AppData\Local\Temp\1c7b51fc42a4cb6f04c7bcad06152d3a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\nihis.exe
  "C:\Users\Admin\AppData\Local\Temp\nihis.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\ufsio.exe
    "C:\Users\Admin\AppData\Local\Temp\ufsio.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
be61fc447437aa4134c851bdb3fee6b1

SHA1
6b825d287562aa5c5b469f95335d90bb876efdaf

SHA256
346b80e2400a436a53466bea29af678ee0cf5181d7f3b3d9dc5e6ca83db25008

SHA512
4ba0834b05968e8f71869585c17f8e50a99b1a85defe7b56411ff0bd7af745210884d8d47e24a661754072d5ff134d35717a2a7c92f3d13f2cd130e030143d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ffba7d3c78939e323c5c2a2aa4c1b2f4

SHA1
ce7ba16654cf27807ef6d9ad3f0ec96d65aedc3b

SHA256
d9e36e62c408fcb3d39b9b00e60cf06ccc96dcaf5589d30adce9a20c8f4c358e

SHA512
7a8f0229facc0a8c7edcff3a8427410f7e95ce8992fc129786bbc2435a3b82a8cb8dfae66e74cfdef609b9e92410d18305f72671188a63873dbba780758d1d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nihis.exe

Filesize
109KB

MD5
5f239d6b1948431d7c37c93eb16752e7

SHA1
3eb220d0eb974ba6f9c8320188bf2ed657611e1d

SHA256
d3b66afb600738d2d1d1ce3de16c86afe605ba54c1858c2f71a95b9292be0e8a

SHA512
61b81189553b148185ab9fc3fe2edc619b6583664529fb7ba4ee3f3f69f45a3041ce55a9ef0541d7cf1a201a1ab672419ea8ba088eb72281b1a3e69ea3376f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\nihis.exe

Filesize
384KB

MD5
67010fd220f037d1099b6f5802c256eb

SHA1
b7846614f612769ff29bc41f28377a70656ceacd

SHA256
ab9b11cbefe036aac79e11d8c535741ea98db9004f27181844459c7a51593d9e

SHA512
60c8b85ed320b75f3be574a782e46ed5fdc488046ca3bb9dee3854483741c7d965e1f22aca92ad588a56de7ac0cfe4462e55a74e0112097896a465488ac6bf77

Download Submit
\Users\Admin\AppData\Local\Temp\nihis.exe

Filesize
536KB

MD5
f0568f914592ad79eac8b1aad18a830b

SHA1
1e3681c9cbbedd3125d185e5bd025221b4819cbf

SHA256
79c264394c0e5d0772a9497669cdf51f13cacc650acacfe3fdc0322edf359d1b

SHA512
40315ffb8fc3a8798520c4ef6e5bb1d604567d296005bd9b8b2d339818d5cf34e612f4cd29aa75b1ab3744a68dd3aed3af74806a54e2e7adff1bb98754427f9c

Download Submit
\Users\Admin\AppData\Local\Temp\ufsio.exe

Filesize
236KB

MD5
b413b6f579c9870abe4e5a8316aaf670

SHA1
e1e99c6cb076692d6942d439bfe7f1dd848d23fd

SHA256
9a4cd995bdedf4457898e2aa672934a553207d8b71eb0ce81afcb3a184cf6118

SHA512
c927d221cbce7718be18dec38c67c8bc53c15cdc9cc2eb00ad1595a7ef768a4127160d940df2447087e308a1c201e89a981c661f1690d7c3d2c47d451cba878e

Download Submit
memory/2116-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2116-26-0x0000000003370000-0x0000000003413000-memory.dmp

Filesize
652KB

Download
memory/2116-10-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2152-29-0x0000000000040000-0x00000000000E3000-memory.dmp

Filesize
652KB

Download
memory/2152-30-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2152-32-0x0000000000040000-0x00000000000E3000-memory.dmp

Filesize
652KB

Download
memory/2152-33-0x0000000000040000-0x00000000000E3000-memory.dmp

Filesize
652KB

Download
memory/2152-34-0x0000000000040000-0x00000000000E3000-memory.dmp

Filesize
652KB

Download
memory/2152-35-0x0000000000040000-0x00000000000E3000-memory.dmp

Filesize
652KB

Download
memory/2212-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2212-6-0x0000000002840000-0x00000000028CC000-memory.dmp

Filesize
560KB

Download
memory/2212-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing