urelas | 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7

General

Target

5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
Size

329KB
MD5

373823c3f20c185c50bc7abd35345bd0
SHA1

b9bf4195521f9cd012af3773bf5cdb9ac98fac75
SHA256

5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7
SHA512

746b6e9266a4f7b8c2ff08ccb71a9a3ec65de365a91c07d49b6f14db1ac40acd8886624d42239bb21b077939d51442c4c7a374a64cced51db6c9cb268c7480c8
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVP:vHW138/iXWlK885rKlGSekcj66ciEP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2396	rorea.exe
2940	secyd.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
2396	rorea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rorea.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe
2940	secyd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2396	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	30
PID 1992 wrote to memory of 2396	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	30
PID 1992 wrote to memory of 2396	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	30
PID 1992 wrote to memory of 2396	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	30
PID 1992 wrote to memory of 3032	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	31
PID 1992 wrote to memory of 3032	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	31
PID 1992 wrote to memory of 3032	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	31
PID 1992 wrote to memory of 3032	1992	5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe	31
PID 2396 wrote to memory of 2940	2396	rorea.exe	34
PID 2396 wrote to memory of 2940	2396	rorea.exe	34
PID 2396 wrote to memory of 2940	2396	rorea.exe	34
PID 2396 wrote to memory of 2940	2396	rorea.exe	34

C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
"C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\rorea.exe
  "C:\Users\Admin\AppData\Local\Temp\rorea.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\secyd.exe
    "C:\Users\Admin\AppData\Local\Temp\secyd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
16345585560837b3f96911125dc68a5a

SHA1
c4168f87ff5f1acd63b1feace8736cd358a838c0

SHA256
8b2a808965b4f50f7a138e9cf41c4ae5fbeb7d2a704c312bc2fec6ffa8fafbe7

SHA512
67fb0fd89fd02afd31137ebe98642b3bd5d04ede03427b3f374f2b7bd63c580c4b2dc78eebaccbd3ff3eac934be9d19b5cb00b4cd526a82ee97b884215c12118

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e56a75927aa4fd27807f9a72605cd9ef

SHA1
84243d79f484f8d6318e7ab8a2949b72ee2e8782

SHA256
6ddc9244c8566cb9153b73a12a30d7e7963b0eada3c8a20926b6d7ec5302231d

SHA512
99190cfe9e4cb888b5bfdb42dd8a2ad53ed22d1d4baba2e01a14ee76393e5c3cccd7bceac51954294611597a56a2926e1ab208ff996e1a76024c5d8ba50d1bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\secyd.exe

Filesize
172KB

MD5
02b7ebc56c07fc1cb5bf57235894f90a

SHA1
cdcc5bd631a500158a7350134295c06bec1c8761

SHA256
4fbe767c383f12bd941cfa9caf4dfa57bd18c3a2d6a2f63413ba3e345b034f2e

SHA512
f64b0a18af90e2bc70c51d5c162d9f527d559e277dd0a3841bdd6289ba5392c00f27de6b869e121dbf94f7fa141849a2d232975e6e5ea96a530fc6d8b54483c8

Download Submit
\Users\Admin\AppData\Local\Temp\rorea.exe

Filesize
329KB

MD5
c1fa4213f483cc81e820044d584a36dd

SHA1
f74a13f22554356276e28a4030ccb14255880652

SHA256
219a4022916c5dbb5403f4b2e8e226fe2b0c5ca25653aad45ef94b65adec2413

SHA512
cb603964ec8799f4161befab745b50abd6ef314d3e0b67c601f753c877bf78e1884b434be41bcb0be1888d1073b416a76bdd52096398ee73770cc96488e713b9

Download Submit
memory/1992-0-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/1992-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1992-9-0x0000000002140000-0x00000000021C1000-memory.dmp

Filesize
516KB

Download
memory/1992-20-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/2396-18-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/2396-23-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/2396-41-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/2396-38-0x0000000003580000-0x0000000003619000-memory.dmp

Filesize
612KB

Download
memory/2396-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2940-39-0x00000000003D0000-0x0000000000469000-memory.dmp

Filesize
612KB

Download
memory/2940-42-0x00000000003D0000-0x0000000000469000-memory.dmp

Filesize
612KB

Download
memory/2940-46-0x00000000003D0000-0x0000000000469000-memory.dmp

Filesize
612KB

Download
memory/2940-47-0x00000000003D0000-0x0000000000469000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing