urelas | df752425b0be845a19b3eac307858d9f24ab771d12f0144204d3c056de865c83

General

Target

10935db801066dba7e69e990ca73de00N.exe
Size

321KB
MD5

10935db801066dba7e69e990ca73de00
SHA1

6260160849c0240d60679b765048e0fc5db3c6f6
SHA256

df752425b0be845a19b3eac307858d9f24ab771d12f0144204d3c056de865c83
SHA512

0a81f43cffcb8de518f0996c8759245eba0b21708e820b81ad02d63ec49900e4b88dfd28dc8b5d17dbf519f5dfdd88be102a2156ff4e0c3fab9d730c799ff1ed
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY+:vHW138/iXWlK885rKlGSekcj66civ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2232	cunyz.exe
2876	igxao.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	10935db801066dba7e69e990ca73de00N.exe
2232	cunyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cunyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igxao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10935db801066dba7e69e990ca73de00N.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe
2876	igxao.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2232	2964	10935db801066dba7e69e990ca73de00N.exe	30
PID 2964 wrote to memory of 2232	2964	10935db801066dba7e69e990ca73de00N.exe	30
PID 2964 wrote to memory of 2232	2964	10935db801066dba7e69e990ca73de00N.exe	30
PID 2964 wrote to memory of 2232	2964	10935db801066dba7e69e990ca73de00N.exe	30
PID 2964 wrote to memory of 2676	2964	10935db801066dba7e69e990ca73de00N.exe	31
PID 2964 wrote to memory of 2676	2964	10935db801066dba7e69e990ca73de00N.exe	31
PID 2964 wrote to memory of 2676	2964	10935db801066dba7e69e990ca73de00N.exe	31
PID 2964 wrote to memory of 2676	2964	10935db801066dba7e69e990ca73de00N.exe	31
PID 2232 wrote to memory of 2876	2232	cunyz.exe	33
PID 2232 wrote to memory of 2876	2232	cunyz.exe	33
PID 2232 wrote to memory of 2876	2232	cunyz.exe	33
PID 2232 wrote to memory of 2876	2232	cunyz.exe	33

C:\Users\Admin\AppData\Local\Temp\10935db801066dba7e69e990ca73de00N.exe
"C:\Users\Admin\AppData\Local\Temp\10935db801066dba7e69e990ca73de00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\cunyz.exe
  "C:\Users\Admin\AppData\Local\Temp\cunyz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\igxao.exe
    "C:\Users\Admin\AppData\Local\Temp\igxao.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
9fef865388fb63e38404cfa89fb647ef

SHA1
4dbd64fe89f33af0e9c657eb7a98e77ffe52682f

SHA256
b9695f762bc6f6b121eb6a269b59ab5d2ec7f1040d8545e109f2deda25ca7d52

SHA512
5527978577203bbe5ed5ad054cd27b51cc7a9885ce42d93d38851b45c6b6b616565580ec462b38658ac3396815d83eb2f02e7bf35d0d460a0dca5b65d72a6828

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6247fdc1c9a5ea8b95ac9ded7befeeb7

SHA1
d690e5cc6f1422db6047da8c0593629741916926

SHA256
e95777d2652f7d0b26276c50a2bd128b4bdd9b19373c377b16168803e76b60f2

SHA512
42d0da0e55029260d2428540528f577c8d29331f9a4d5a7f8649a0d5219fd8b4c15f53d2a3efee285ee4057b5ee3a043cb292cc78f881d9b95f026669502dc4e

Download Submit
\Users\Admin\AppData\Local\Temp\cunyz.exe

Filesize
321KB

MD5
b4867c95b8ce65e66897afa622667d3d

SHA1
641ea0bdf9af0fdb1e5997ae09ab585d8579593f

SHA256
7c0149261c6fc82453273553acc31ac0da24238e6d474806494484d2c8ac41a1

SHA512
8d09f6b9594d1e373ee63f7c838ae5bd30c8d3fc6c993dc821966ae689803f0dd4ea31b4796f2587e776b8fcde0f4c489f52dd6c02395c6b8c2fe4f01a96af3e

Download Submit
\Users\Admin\AppData\Local\Temp\igxao.exe

Filesize
172KB

MD5
269e8556738888275a33dc6b0e90c46a

SHA1
37aaa4105366aa2322d8f55217fb6cbf1f94bfeb

SHA256
b2d5cdb19cf5861a17e4a8ea08096319c36b26b01aa92c9b1e89b86bba8b31de

SHA512
f8ab86891820d1f0597a48daae7ed56716282fe6b276b3aed3ccba25fa8532829597c512987d8e19e0fac5372501a3f0ec8107880b31ef951df4a20e2c219685

Download Submit
memory/2232-24-0x0000000001100000-0x0000000001181000-memory.dmp

Filesize
516KB

Download
memory/2232-38-0x0000000003300000-0x0000000003399000-memory.dmp

Filesize
612KB

Download
memory/2232-42-0x0000000001100000-0x0000000001181000-memory.dmp

Filesize
516KB

Download
memory/2232-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2232-18-0x0000000001100000-0x0000000001181000-memory.dmp

Filesize
516KB

Download
memory/2232-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2876-44-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2876-43-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2876-48-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2876-49-0x0000000000120000-0x00000000001B9000-memory.dmp

Filesize
612KB

Download
memory/2964-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2964-20-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2964-0-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2964-7-0x00000000025E0000-0x0000000002661000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing