urelas | 1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754

General

Target

1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe
Size

331KB
MD5

cf5c08b25c21683a077d908a07246850
SHA1

1c6120dd70615b1d09a7711e4c825f4a62cf37e8
SHA256

1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754
SHA512

39302ceef2b6904e5abd456722658ad6844de5f6e799d1e0936ceb9252878a3ac22ad3b77d1c2ce4ab572c2d3bc64c27af7cf08356aececded13956a6c33c7e3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYx:vHW138/iXWlK885rKlGSekcj66ciU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	ozvev.exe
2916	dyybb.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe
2196	ozvev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozvev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyybb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe
2916	dyybb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2196	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	31
PID 1960 wrote to memory of 2196	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	31
PID 1960 wrote to memory of 2196	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	31
PID 1960 wrote to memory of 2196	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	31
PID 1960 wrote to memory of 2448	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	32
PID 1960 wrote to memory of 2448	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	32
PID 1960 wrote to memory of 2448	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	32
PID 1960 wrote to memory of 2448	1960	1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe	32
PID 2196 wrote to memory of 2916	2196	ozvev.exe	35
PID 2196 wrote to memory of 2916	2196	ozvev.exe	35
PID 2196 wrote to memory of 2916	2196	ozvev.exe	35
PID 2196 wrote to memory of 2916	2196	ozvev.exe	35

C:\Users\Admin\AppData\Local\Temp\1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe
"C:\Users\Admin\AppData\Local\Temp\1e0254ad94a994d0f23bbd58b177f38538fc133ac7b006c3100aa78d19652754N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\ozvev.exe
  "C:\Users\Admin\AppData\Local\Temp\ozvev.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\dyybb.exe
    "C:\Users\Admin\AppData\Local\Temp\dyybb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e118461ab2ea0954890f9b1c12e2699a

SHA1
cc9a9d8f8e4484e2d7e3ee2b9cb6ca5960e38ca6

SHA256
08958cc88cc58b42d9fb0e8b477b1c781b0e656da45ba973ee2547ec79a776e5

SHA512
f71fff2915bcedeaf5afa05eb8204e1386280e1b082a5016c947a91bda0d92bac56d4f312b383644c99722b7f2b2f07447bd04d9b0670591ef3608103e6955a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5b1760e678c3d96517980dc0aabd353a

SHA1
864c98ddf62c422b1745bb7c38c02575f29fb135

SHA256
31cba2deea7015a4d1caaa8505e696be25794a05da2163d757b015a1aef59e9e

SHA512
df74ad31c5d869c1662fc4e3c902cfb8bc68e05bd2cdd225b53076d2d06294608870ffd51a4d82fd4c8072487abeac0b7fbca1f8cdaf9d5ab0cc299ac385504b

Download Submit
\Users\Admin\AppData\Local\Temp\dyybb.exe

Filesize
172KB

MD5
e78ee0813de4a361d595ef7c3c90bb00

SHA1
ddf5fea977b435f825d5155b52c74d81763f2c57

SHA256
1cfa44c805eb00941503bf217aa1b26925fe341ee9e55dc4ea31b4770a8ba16b

SHA512
bae846c558d33c67ce99b53f9ec833f1a18ee6f8e6246ceb1f6a14c7fc33ca0507577d0905ed27b2749c5f563bcefad8d76d629fadadda06c9c644504c24abdd

Download Submit
\Users\Admin\AppData\Local\Temp\ozvev.exe

Filesize
331KB

MD5
e2523c7f38dbd3dd24e236c7fdd69560

SHA1
a752371f463add3b71b23dd0924c69fb96410658

SHA256
c518a17d932663fd9f7541cb460450093824849793fa267f9a5e0fe7eea628cb

SHA512
7c46e09d1f11a0ed36ce72b3f56ccd6cab4f05810511f8735e9350d507a9e9898a583a9aad000d50bebca28ab5cbc1248668cf612f1422566f8a3bb6cc18e97c

Download Submit
memory/1960-10-0x0000000002940000-0x00000000029C1000-memory.dmp

Filesize
516KB

Download
memory/1960-0-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/1960-20-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/1960-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2196-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2196-11-0x0000000000B40000-0x0000000000BC1000-memory.dmp

Filesize
516KB

Download
memory/2196-24-0x0000000000B40000-0x0000000000BC1000-memory.dmp

Filesize
516KB

Download
memory/2196-37-0x0000000002CC0000-0x0000000002D59000-memory.dmp

Filesize
612KB

Download
memory/2196-41-0x0000000000B40000-0x0000000000BC1000-memory.dmp

Filesize
516KB

Download
memory/2916-45-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/2916-42-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/2916-47-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/2916-48-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing