urelas | e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bb

General

Target

e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
Size

555KB
MD5

77cb473575e36fde924b9444f32c5270
SHA1

6e67a34d086a38ed35c6e8ce49d6c930f14df324
SHA256

e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bb
SHA512

ce99cc121968eb509739b8d3466915a6068b991750dc67a795f9986a79a13e655a6710bfca609eee9f8a1102480285cc5155c39660d854722f1fb31803586d0d
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlm:+rt4/NArwjs5olm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2132	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	uthom.exe
2672	meivs.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
2524	uthom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uthom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2524	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	30
PID 3028 wrote to memory of 2524	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	30
PID 3028 wrote to memory of 2524	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	30
PID 3028 wrote to memory of 2524	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	30
PID 3028 wrote to memory of 2132	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	31
PID 3028 wrote to memory of 2132	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	31
PID 3028 wrote to memory of 2132	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	31
PID 3028 wrote to memory of 2132	3028	e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe	31
PID 2524 wrote to memory of 2672	2524	uthom.exe	34
PID 2524 wrote to memory of 2672	2524	uthom.exe	34
PID 2524 wrote to memory of 2672	2524	uthom.exe	34
PID 2524 wrote to memory of 2672	2524	uthom.exe	34

C:\Users\Admin\AppData\Local\Temp\e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe
"C:\Users\Admin\AppData\Local\Temp\e7b17b5ec48c22672364714a5c60964b6089c0f5dd133c9bb5b1794ae03ca0bbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\uthom.exe
  "C:\Users\Admin\AppData\Local\Temp\uthom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\meivs.exe
    "C:\Users\Admin\AppData\Local\Temp\meivs.exe"
    3⤵
    - Executes dropped EXE
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
85546bcf395aa6965faaf63bb3e704c2

SHA1
aa7fd0fc10f45ecf0d00625b0879131ea0c8ee4e

SHA256
77197d3a46bbfae4eac82ac7c15f3c74e1b44b8dbe7566ebad55c463478212ee

SHA512
66d94c367709a5f1b7c967028f4ff8451bc0e3b87d981c1ae3a38f8e3832ea9639bec5f5116bcd15872ed0fd0aacf7b1ffbd6c2f5f4511ea68815850d62bad7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a096ba7c95dbe4159eb245a1a03b994a

SHA1
ae03ee64b0a9aa4e99b612621fc1f55abe3e35c9

SHA256
86a92f1e62da8bd52510c5609e5c78dbc06f9669e4b773d52a595fdafe574777

SHA512
78202cc37eb1261a784002399463a50512b423310f5ac355cc6606b6dd152d6716c3eb15f98ae75f7db3bd584f4448c99ca521723e30f4fccc38e7901655f11d

Download Submit
\Users\Admin\AppData\Local\Temp\meivs.exe

Filesize
231KB

MD5
737b7579e9c348f7f4d66aa038c73e86

SHA1
072fb376f74df1ab995f79482f13bd2cbb2e4b91

SHA256
172f506f09cd1470f263ab3c94df050ae8f37b87ea7684dcec0da82daf7423c6

SHA512
a9314779f3ca7b171910f3ba8d25301cf3e357adc079d022a328bdc668e52ff553fa1efdc74d679d7f0348f2a809a03aeca2222ecf52d79b888ebf61fbe2d9fa

Download Submit
\Users\Admin\AppData\Local\Temp\uthom.exe

Filesize
555KB

MD5
43e63fca7330bbc60b3d74f026f0ece7

SHA1
22a22b79efff35cea277e5e403983846dfaf2f07

SHA256
268a710ba352b726bdb274141c8a28a4c44f301052033f20a62df07e9446691e

SHA512
c55b8ff6aee8572714d29388e29c19414f88ac8db062e3435bf66ef9205f1180275353c3c4666c4efd5150570e90d8fd4e90d67383a3e81a51768d72dfea30fc

Download Submit
memory/2524-20-0x00000000002E0000-0x000000000036F000-memory.dmp

Filesize
572KB

Download
memory/2524-27-0x0000000003EA0000-0x0000000003F53000-memory.dmp

Filesize
716KB

Download
memory/2524-26-0x00000000002E0000-0x000000000036F000-memory.dmp

Filesize
572KB

Download
memory/2672-29-0x0000000000050000-0x0000000000103000-memory.dmp

Filesize
716KB

Download
memory/3028-0-0x0000000000BF0000-0x0000000000C7F000-memory.dmp

Filesize
572KB

Download
memory/3028-7-0x0000000000B30000-0x0000000000BBF000-memory.dmp

Filesize
572KB

Download
memory/3028-17-0x0000000000BF0000-0x0000000000C7F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing