urelas | a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0

General

Target

a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe
Size

502KB
MD5

9b0762cfc36bfab032fdf7ebe971e480
SHA1

a39b8e59f5059c6c04b7b2b9cc1927661fc0a121
SHA256

a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0
SHA512

bbc16743f617315be934094b2d1854a11e92f55f7294c7d361d5f41fdfdadf015c64f60e5df73fc81a90e9ec5d0e3294532290f0633317a853c57d43ebb6edc0
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKoC:3MUv2LAv9AQ1p4dKP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	obcoz.exe
2052	mytyr.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe
2588	obcoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mytyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obcoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe
2052	mytyr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2588	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	28
PID 2656 wrote to memory of 2588	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	28
PID 2656 wrote to memory of 2588	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	28
PID 2656 wrote to memory of 2588	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	28
PID 2656 wrote to memory of 2612	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	29
PID 2656 wrote to memory of 2612	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	29
PID 2656 wrote to memory of 2612	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	29
PID 2656 wrote to memory of 2612	2656	a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe	29
PID 2588 wrote to memory of 2052	2588	obcoz.exe	33
PID 2588 wrote to memory of 2052	2588	obcoz.exe	33
PID 2588 wrote to memory of 2052	2588	obcoz.exe	33
PID 2588 wrote to memory of 2052	2588	obcoz.exe	33

C:\Users\Admin\AppData\Local\Temp\a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe
"C:\Users\Admin\AppData\Local\Temp\a17d401723033917b3e72d60d37b98492e6190dfe1d8783592b190f0785e09b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\obcoz.exe
  "C:\Users\Admin\AppData\Local\Temp\obcoz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\mytyr.exe
    "C:\Users\Admin\AppData\Local\Temp\mytyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2d9cefcc6021fab615327aead9ab32a5

SHA1
4d5a1074d47da995d42065a49c66cc7d238e5a59

SHA256
e3ff6398f0f769e9bb58672c6a5e0157344157be802ec7d240672e40b74f5af1

SHA512
0eaf38f58ce0ea0d0ec29c7089fa3de87a8f203df0fd32ab376192deac226cd704d6d570b9f31c95a28720594c0148133f8ca75fd197dc4845c5c2f74867a7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d544cf77271def01e830d214b0beb5c9

SHA1
f23a46d9dfe9c22d3336c92b759ed03e1df0fb28

SHA256
ea927b2f4eda60f1686b54fdb8b30f2351463db46df24e479dd313b906fdf91a

SHA512
d7d863493f310d0611f26ee6380cd610e20ad06bb7ff3966638f140c34f0172960175bcfec0969c58339aef39f8be76b495b1d9562ff06e7a86e751ba4df0118

Download Submit
\Users\Admin\AppData\Local\Temp\mytyr.exe

Filesize
172KB

MD5
5ae0c2ff4999baad78c0992b3d7274ca

SHA1
7929f6460e1fad2dd2a3af288335ddb78e203d17

SHA256
2fdcc153c13741faa90860711f702bc3fd68205ddc77f5d88b3ec23cec0e0834

SHA512
6a611ad1cfa66c07cc0f360685d9c583cd11f246fc52a389a240dff4e6c85a124d2bb228263fccb9cdf175336dadb2e39d80144d7ecf52f3865be09418e629e6

Download Submit
\Users\Admin\AppData\Local\Temp\obcoz.exe

Filesize
502KB

MD5
762f965d9723cc7e31e82ab66f69e7b1

SHA1
8ab5a34f70e12356800d62ccfd061943d389b7a8

SHA256
0799dbfa87ab8876943ae133ca0f65b57628292c14044939752f47acc74cc9a4

SHA512
1aa775ff94fd0f03874d7d079171c8fa7314d75d6267bb45d683601a7fb062b5995813ab9ba9bb5a65620b8c54260ddf6749fa0252a1e0e53d6d883a224a08f2

Download Submit
memory/2052-31-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2052-30-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/2052-32-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/2052-37-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2052-36-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/2052-38-0x0000000000C70000-0x0000000000D09000-memory.dmp

Filesize
612KB

Download
memory/2588-21-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2588-17-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2588-28-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/2588-27-0x0000000003250000-0x00000000032E9000-memory.dmp

Filesize
612KB

Download
memory/2656-18-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download
memory/2656-8-0x0000000001180000-0x0000000001201000-memory.dmp

Filesize
516KB

Download
memory/2656-0-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing