urelas | 0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846

General

Target

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
Size

432KB
MD5

be542e225b5a041f7d228b4b6c4936e8
SHA1

8bf87c7d0767461084254004be228d4297bbeafb
SHA256

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846
SHA512

f9b612dc7fd67aeaedea9c500c2e05a5269642a8139c4aed5cc49db31f8cb3ee09ce99df2ff43a260747a1d031d45899a10be77db9bcd7f6c9ed5e5a903e82fa
SSDEEP

6144:L8efQ6QPJGcLbjg0CutsGH+revgLIAP1fXo1EZH:C6QPJGcE0SGereYdPc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2788 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

rocov.exefugoj.exe

pid process

2828 rocov.exe
1492 fugoj.exe
Loads dropped DLL 2 IoCs

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exerocov.exe

pid process

2276 0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
2828 rocov.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2788	cmd.exe

pid	process
2828	rocov.exe
1492	fugoj.exe

pid	process
2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
2828	rocov.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exefugoj.exe0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exerocov.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fugoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rocov.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

fugoj.exe

pid	process
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe
1492	fugoj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exerocov.exe

description	pid	process	target process
PID 2276 wrote to memory of 2828	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	rocov.exe
PID 2276 wrote to memory of 2828	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	rocov.exe
PID 2276 wrote to memory of 2828	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	rocov.exe
PID 2276 wrote to memory of 2828	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	rocov.exe
PID 2276 wrote to memory of 2788	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 2276 wrote to memory of 2788	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 2276 wrote to memory of 2788	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 2276 wrote to memory of 2788	2276	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 2828 wrote to memory of 1492	2828	rocov.exe	fugoj.exe
PID 2828 wrote to memory of 1492	2828	rocov.exe	fugoj.exe
PID 2828 wrote to memory of 1492	2828	rocov.exe	fugoj.exe
PID 2828 wrote to memory of 1492	2828	rocov.exe	fugoj.exe

C:\Users\Admin\AppData\Local\Temp\0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
"C:\Users\Admin\AppData\Local\Temp\0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\rocov.exe
"C:\Users\Admin\AppData\Local\Temp\rocov.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\fugoj.exe
"C:\Users\Admin\AppData\Local\Temp\fugoj.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fab84f4b298efa708e4661723fd8726f

SHA1
ad3b0a6a3230eed02a342c8675efb82617336d60

SHA256
d9a9705dd0eb69fedc7090940f6b689ea8a0817677f67630954ce3e29ac4d2e6

SHA512
6b54036c346688560e281087ee1707d33e8ec0818b52f7940ca309990dac845b0e84cbd2660a48a25fc98402ef956f6d2ce765503d9e5b474ff52a60abf01513

Download Submit
C:\Users\Admin\AppData\Local\Temp\fugoj.exe

Filesize
291KB

MD5
89d5c43899a47e4ee8026e80ecade51a

SHA1
3480e78bcdb41a08cd749afa0f8191d86d89b4e2

SHA256
00640a652c1641f8fd8be71874740f436e025aa901894e7337af4ada529be1d3

SHA512
a309def439db31f9b2556782b83c361a225bb8eab0ff0c1a9278d38e37680a8fa7088d9247d0ad3717328de5e692aed3be2cd89bce928ce3d9d5c8c1b82f9093

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
35e6ceca074036090dad40c1bdc3f1ff

SHA1
df76a28b9bb4c4cfb1f013aa79b6fb9619f0c055

SHA256
e2403e39e69e2d46f5c954a2fdabc306c3a4e106bfa67e44a28ed16be7d80395

SHA512
71164913b2f0b9c9de70eba47932c77c49d0ad5802d04343e98360716c64f796b171c7e555d8891ae5d10c8411e728eb2fa35b5fd057e13bf9e160a7268518ff

Download Submit
\Users\Admin\AppData\Local\Temp\rocov.exe

Filesize
433KB

MD5
4e91e7d2bc9d0c7a04805e5491c8c5e1

SHA1
531837adc94ff45e9d17514d5c3ddfc8cacd6705

SHA256
647c55279ced96e881f4708e6ee6b0c60cdb8fa7df581cd67ec252dfeb5120ec

SHA512
796b4873121bb53effb52d755e9bf7fb8d2f0f29ed1beac2403056342fd2372eb09de3387bc7ce31ee538c4423dea8a37f3c61da09a3b913e0f2d4b208ca7567

Download Submit
memory/2276-0-0x0000000000BA0000-0x0000000000C0E000-memory.dmp

Filesize
440KB

Download
memory/2276-9-0x0000000000B20000-0x0000000000B8E000-memory.dmp

Filesize
440KB

Download
memory/2276-18-0x0000000000BA0000-0x0000000000C0E000-memory.dmp

Filesize
440KB

Download
memory/2828-11-0x00000000002D0000-0x000000000033E000-memory.dmp

Filesize
440KB

Download
memory/2828-27-0x00000000002D0000-0x000000000033E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads