urelas | 699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c

General

Target

699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe
Size

338KB
MD5

4b618ee7eb34d9776481ce7809bf23c0
SHA1

50be72c1861ba577f12872fe5f068a674afe91c3
SHA256

699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c
SHA512

58ef134e82912754e09775b9ebdb99828cf81fc8a432e3f20e015e0ed4ad98fcf6fbca9127fe0a6b64099868e4ca1785a6d8c47d7ac853081e4392b800911110
SSDEEP

6144:i5tYTzqklVw910CIWrC9foCChVN6XCLWk6aMWgziMV1AXj16NYuLDuUcOibi5EB9:iUPTCBC9A/VIXCCkMWguMcj0vbd5E0/O

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2080 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

rigav.exebigos.exe

pid process

1928 rigav.exe
1484 bigos.exe
Loads dropped DLL 2 IoCs

Processes:

699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exerigav.exe

pid process

2348 699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe
1928 rigav.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2080	cmd.exe

pid	process
1928	rigav.exe
1484	bigos.exe

pid	process
2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe
1928	rigav.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bigos.exe699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exerigav.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bigos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rigav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

bigos.exe

pid	process
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe
1484	bigos.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exerigav.exe

description	pid	process	target process
PID 2348 wrote to memory of 1928	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	rigav.exe
PID 2348 wrote to memory of 1928	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	rigav.exe
PID 2348 wrote to memory of 1928	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	rigav.exe
PID 2348 wrote to memory of 1928	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	rigav.exe
PID 2348 wrote to memory of 2080	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	cmd.exe
PID 2348 wrote to memory of 2080	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	cmd.exe
PID 2348 wrote to memory of 2080	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	cmd.exe
PID 2348 wrote to memory of 2080	2348	699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe	cmd.exe
PID 1928 wrote to memory of 1484	1928	rigav.exe	bigos.exe
PID 1928 wrote to memory of 1484	1928	rigav.exe	bigos.exe
PID 1928 wrote to memory of 1484	1928	rigav.exe	bigos.exe
PID 1928 wrote to memory of 1484	1928	rigav.exe	bigos.exe

C:\Users\Admin\AppData\Local\Temp\699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe
"C:\Users\Admin\AppData\Local\Temp\699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\rigav.exe
"C:\Users\Admin\AppData\Local\Temp\rigav.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\bigos.exe
"C:\Users\Admin\AppData\Local\Temp\bigos.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b3b09c9100c29bcb381bc1957e00318f

SHA1
bf239a83e082208b0675faa439c4ff3007b5b922

SHA256
cc20c0d1a9f95e9f2ae27a553f5b9c1899bd3e82a4097502ac8429e511f46e67

SHA512
c88773cd2eabe688b87e505fe6d0b3dab8f6308a1872c88c9298c62636dab7a33bf6977b4ed4d2f4826a06ac19868d70dce44bc0a10819b40c1ac1e7b3893d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
465adbfe47cc4c751185c6d870056d82

SHA1
2f096d774fb5dae99d1849c27e81a04fec81f47d

SHA256
561406f8073b97215c55ed8b34c83451cfb6c18ba9a6ca957aef9110910b4905

SHA512
b7b5c21222fe872ed0cc5d5344f56723c3a0c27f6cab330dbc94ebfa2d178ca8679c5be0ceb55b51e166f7d86b9175411b9f302e793c8ef572eca472c527fc81

Download Submit
\Users\Admin\AppData\Local\Temp\bigos.exe

Filesize
226KB

MD5
a094c8e49d17d563d229abcac805cbbf

SHA1
052c720be6486e8502050f8ab7d8dd3420ff6ef0

SHA256
f0072ac10904843c4a5777e4d959db4adf02a1af7ffe2b1aaf11d6abc4a825b7

SHA512
b9216da7290b3d2af69754276ecfbe1be27af345f09c7651704857edd781ab9b76f9a2a5adfd42d1cf5d8e5051e21a48e2f213af0d4c5f1dc9c3a48ed120ba1d

Download Submit
\Users\Admin\AppData\Local\Temp\rigav.exe

Filesize
338KB

MD5
b39fb500db37d0850bc1fc888461a91d

SHA1
b08dfc30e551124731914fab225b6c31ce930697

SHA256
480d43d9c734fd81cc5329901283d0dfb98fba7e3c153d2e679c7dc393cb9166

SHA512
d750aa7cbe853c6103b19478215eb77638264026ab3c0845969f223bf200440db15439cc3daf629816658ac9e92b6e53db9fcf76fc75386a92ba68185a687642

Download Submit
memory/1484-40-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1484-47-0x0000000000A60000-0x0000000000B10000-memory.dmp

Filesize
704KB

Download
memory/1484-46-0x0000000000A60000-0x0000000000B10000-memory.dmp

Filesize
704KB

Download
memory/1484-45-0x0000000000A60000-0x0000000000B10000-memory.dmp

Filesize
704KB

Download
memory/1484-44-0x0000000000A60000-0x0000000000B10000-memory.dmp

Filesize
704KB

Download
memory/1484-43-0x0000000000A60000-0x0000000000B10000-memory.dmp

Filesize
704KB

Download
memory/1484-41-0x0000000000A60000-0x0000000000B10000-memory.dmp

Filesize
704KB

Download
memory/1928-37-0x0000000003060000-0x0000000003110000-memory.dmp

Filesize
704KB

Download
memory/1928-39-0x0000000001310000-0x0000000001397000-memory.dmp

Filesize
540KB

Download
memory/1928-22-0x0000000001310000-0x0000000001397000-memory.dmp

Filesize
540KB

Download
memory/1928-19-0x0000000001310000-0x0000000001397000-memory.dmp

Filesize
540KB

Download
memory/2348-18-0x0000000000890000-0x0000000000917000-memory.dmp

Filesize
540KB

Download
memory/2348-0-0x0000000000890000-0x0000000000917000-memory.dmp

Filesize
540KB

Download
memory/2348-16-0x0000000002540000-0x00000000025C7000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads