urelas | 3bd79093695ed9b423140464a9425194967adc2461ee9e7ae0d8e54eafbb36d5

General

Target

9ffab46b35109fa933a6cfa9bf29f2d0N.exe
Size

442KB
MD5

9ffab46b35109fa933a6cfa9bf29f2d0
SHA1

db0dff43c5a01aed1b41a52d0c4d120f95c2997a
SHA256

3bd79093695ed9b423140464a9425194967adc2461ee9e7ae0d8e54eafbb36d5
SHA512

293fa82c84a11cca4738e3460caf5576352ff4eef8595f129fc7b5120ac4b22a01d97f4c7aa8266a93318fcd1f2111ab202379279fab1e267c5621fa7b09db74
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGM1G:rKf1PyKa2H3hOHOHz9JQ6zByG

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2772	regiw.exe
3016	cytac.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe
2772	regiw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cytac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ffab46b35109fa933a6cfa9bf29f2d0N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe
3016	cytac.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2772	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	30
PID 2196 wrote to memory of 2772	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	30
PID 2196 wrote to memory of 2772	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	30
PID 2196 wrote to memory of 2772	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	30
PID 2196 wrote to memory of 2540	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	31
PID 2196 wrote to memory of 2540	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	31
PID 2196 wrote to memory of 2540	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	31
PID 2196 wrote to memory of 2540	2196	9ffab46b35109fa933a6cfa9bf29f2d0N.exe	31
PID 2772 wrote to memory of 3016	2772	regiw.exe	33
PID 2772 wrote to memory of 3016	2772	regiw.exe	33
PID 2772 wrote to memory of 3016	2772	regiw.exe	33
PID 2772 wrote to memory of 3016	2772	regiw.exe	33

C:\Users\Admin\AppData\Local\Temp\9ffab46b35109fa933a6cfa9bf29f2d0N.exe
"C:\Users\Admin\AppData\Local\Temp\9ffab46b35109fa933a6cfa9bf29f2d0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\regiw.exe
  "C:\Users\Admin\AppData\Local\Temp\regiw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\cytac.exe
    "C:\Users\Admin\AppData\Local\Temp\cytac.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
318893326a4fa22cd5d08e00af699f27

SHA1
9cb06c85a3b49a6e777271784ce9c5e37c903320

SHA256
b424291265c436ef95fa4a973b4e987ab42417712c64ee09fc74d4f7d35d0e17

SHA512
5dcb0a24e40b05a277cfc94f5c28202bee6819a7d5dfc9ed777c55ee70a777e46ebe113eed8d6ce50a518ff152d5f554cd5c54ef7a864a5908898919c76c4183

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
96a99f894bea64e49ef42d0367add80e

SHA1
7190f5d88281d6eed07252fc54f661411d0c44b2

SHA256
33c0a3063d277f70e88939e6a08e0d0eefb19ea882d4ed498fe58f7a4141689a

SHA512
a5cd692b69ca56ea15f2ef75e3cb1c7df909cf6fb298121726d8781b4a7c30259ca67ac498b9c0424ac6ce0c1762d24d171507898073168c6b087c16353ca7f0

Download Submit
\Users\Admin\AppData\Local\Temp\cytac.exe

Filesize
230KB

MD5
3cf7159c117dc8f42938253c5425c9bc

SHA1
e701f3b667c995992b2527acc3b9544e91861307

SHA256
826be1922bce52892446f16279b50d5cefcda316c24648ae3cb0e2b596f5ed99

SHA512
a67c7af1b9d9a348661c0090fe0d272f9949e1be6730b2255b36fd343b0e234c87cd63f78203619346fca178c777af645894ef094e88723424280bc63ed431c9

Download Submit
\Users\Admin\AppData\Local\Temp\regiw.exe

Filesize
442KB

MD5
42ade1d10051ee74b92ffb68eece2517

SHA1
ffcefdc6b959c3409171bc147d983e7cfeabb94e

SHA256
3c24d660994af03ee771aab5b7e0772e8fa4b25b74fc22000cc5aa154fa0d961

SHA512
1334d9433c1913654095d6165fad99315648713ff61abb5b1df9e8296221f34635736057e25a4912dc8d258d5e1db1053fa9a597e09ef935c3eaa8d50df8fd55

Download Submit
memory/2196-0-0x0000000000E90000-0x0000000000EFE000-memory.dmp

Filesize
440KB

Download
memory/2196-8-0x0000000002300000-0x000000000236E000-memory.dmp

Filesize
440KB

Download
memory/2196-18-0x0000000000E90000-0x0000000000EFE000-memory.dmp

Filesize
440KB

Download
memory/2772-28-0x00000000002C0000-0x000000000032E000-memory.dmp

Filesize
440KB

Download
memory/2772-21-0x00000000002C0000-0x000000000032E000-memory.dmp

Filesize
440KB

Download
memory/2772-29-0x0000000002040000-0x00000000020DE000-memory.dmp

Filesize
632KB

Download
memory/2772-10-0x00000000002C0000-0x000000000032E000-memory.dmp

Filesize
440KB

Download
memory/3016-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3016-30-0x00000000010D0000-0x000000000116E000-memory.dmp

Filesize
632KB

Download
memory/3016-34-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3016-33-0x00000000010D0000-0x000000000116E000-memory.dmp

Filesize
632KB

Download
memory/3016-35-0x00000000010D0000-0x000000000116E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing