urelas | a2d3dbacab153c0f62f86289c949a2bdf0c9c68256e7ce76ab3ada81f40b3faf

General

Target

d0a44111a6966215015cfb913dd716e0N.exe
Size

324KB
MD5

d0a44111a6966215015cfb913dd716e0
SHA1

802fc8b3478b1cd593362d00f192c2a97bc1a45e
SHA256

a2d3dbacab153c0f62f86289c949a2bdf0c9c68256e7ce76ab3ada81f40b3faf
SHA512

2316de216714afc0c0f9aaa55eae00b0d4ccc7a14f04739e5db27736dd0da572b8dbafa1d5c9dacef7958a62b68639ab96e95db964bfca1c7b83280b6e37aee9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYR:vHW138/iXWlK885rKlGSekcj66cic

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3048 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

zameb.exefawyi.exe

pid process

744 zameb.exe
2924 fawyi.exe
Loads dropped DLL 2 IoCs

Processes:

d0a44111a6966215015cfb913dd716e0N.exezameb.exe

pid process

1788 d0a44111a6966215015cfb913dd716e0N.exe
744 zameb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3048	cmd.exe

pid	process
744	zameb.exe
2924	fawyi.exe

pid	process
1788	d0a44111a6966215015cfb913dd716e0N.exe
744	zameb.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d0a44111a6966215015cfb913dd716e0N.exezameb.execmd.exefawyi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0a44111a6966215015cfb913dd716e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zameb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fawyi.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

fawyi.exe

pid	process
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe
2924	fawyi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d0a44111a6966215015cfb913dd716e0N.exezameb.exe

description	pid	process	target process
PID 1788 wrote to memory of 744	1788	d0a44111a6966215015cfb913dd716e0N.exe	zameb.exe
PID 1788 wrote to memory of 744	1788	d0a44111a6966215015cfb913dd716e0N.exe	zameb.exe
PID 1788 wrote to memory of 744	1788	d0a44111a6966215015cfb913dd716e0N.exe	zameb.exe
PID 1788 wrote to memory of 744	1788	d0a44111a6966215015cfb913dd716e0N.exe	zameb.exe
PID 1788 wrote to memory of 3048	1788	d0a44111a6966215015cfb913dd716e0N.exe	cmd.exe
PID 1788 wrote to memory of 3048	1788	d0a44111a6966215015cfb913dd716e0N.exe	cmd.exe
PID 1788 wrote to memory of 3048	1788	d0a44111a6966215015cfb913dd716e0N.exe	cmd.exe
PID 1788 wrote to memory of 3048	1788	d0a44111a6966215015cfb913dd716e0N.exe	cmd.exe
PID 744 wrote to memory of 2924	744	zameb.exe	fawyi.exe
PID 744 wrote to memory of 2924	744	zameb.exe	fawyi.exe
PID 744 wrote to memory of 2924	744	zameb.exe	fawyi.exe
PID 744 wrote to memory of 2924	744	zameb.exe	fawyi.exe

C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0a44111a6966215015cfb913dd716e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\zameb.exe
  "C:\Users\Admin\AppData\Local\Temp\zameb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\fawyi.exe
    "C:\Users\Admin\AppData\Local\Temp\fawyi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
eca4c93ecea564202a6c3cab11575c12

SHA1
430419ef7682d30383e62df6cf25047795a4e739

SHA256
ac51a2498af6de0d7d50f62ab502e45504f791c39cf0d8ea08c20de26a84eefd

SHA512
9cc164d843da21b3644b1f9432bb04c1a08e6221710c7927c64d9aac20df9dd8027ed05c2824bb88448a444517167d410c6ea6e79b42c9e8c4ec558d6467163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8b31812100f2ccdcede050129b807e39

SHA1
acd58755f53d86c948574aa2eb0e7f6414813669

SHA256
c753a5c1f4ad895a72242f01a7a0beecda8e18823d48041bc7fda848d682c5ec

SHA512
d2ffc7780e86e6686af8ec1e75944ccf387140e16dcef29ff82ce25a20c0e280337d2c7dc9792a5a5ee308552d5637e46b1a51b7fa9b5e05ce8bf9100fa02c83

Download Submit
\Users\Admin\AppData\Local\Temp\fawyi.exe

Filesize
172KB

MD5
79e00560453d4770d3fb03fce390f622

SHA1
c66c3706eddc6a9f709deb2b6cc826bc7dadf7d9

SHA256
7038b15dde28be5073ed97fb6bb5f730e44811114382125f2355752c79d9adbb

SHA512
547f6ec6faff02379707f7417ae0a5bfe8feb5db5d4205b9277fb52cba6c116f2558602fca046a7956c9764e5316505c79fbfd37b8ddfad34916e3af4304a48e

Download Submit
\Users\Admin\AppData\Local\Temp\zameb.exe

Filesize
324KB

MD5
04fffa7bfac31a628d40902873b2f661

SHA1
f70f0e2c59057457919b634204787393613ab205

SHA256
97f872b0a436eb78fe9be71b193b011f4b4d289bf4c49261d830adbc0525ccb5

SHA512
cb178bb2e0bb2078a0794beaae55a782bfe6f5fa7deb45330b5f9c1e047428d3e849397eddaec3a3d3e794da1743861f17279d927495e92bb512477db3a923c5

Download Submit
memory/744-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/744-11-0x0000000000E10000-0x0000000000E91000-memory.dmp

Filesize
516KB

Download
memory/744-24-0x0000000000E10000-0x0000000000E91000-memory.dmp

Filesize
516KB

Download
memory/744-40-0x0000000000E10000-0x0000000000E91000-memory.dmp

Filesize
516KB

Download
memory/1788-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1788-21-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/1788-9-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download
memory/1788-0-0x0000000000EA0000-0x0000000000F21000-memory.dmp

Filesize
516KB

Download
memory/2924-44-0x00000000003A0000-0x0000000000439000-memory.dmp

Filesize
612KB

Download
memory/2924-41-0x00000000003A0000-0x0000000000439000-memory.dmp

Filesize
612KB

Download
memory/2924-46-0x00000000003A0000-0x0000000000439000-memory.dmp

Filesize
612KB

Download
memory/2924-47-0x00000000003A0000-0x0000000000439000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads