urelas | a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8

General

Target

a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
Size

331KB
MD5

0b13ddcce57bf9df654cb55a64316040
SHA1

84e0c65017a393700e2fb8a987b556ea2bcccaaa
SHA256

a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8
SHA512

7f72e5cf8ec2c0ef3babbf4b666c426843f76196d98efe6b09412e7378c089c8fd5fbaa71573004bad018a255d62918fd38f184ac77f5198a8a3e43a2f8782e9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2420	jejyi.exe
904	revyw.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
2420	jejyi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	revyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jejyi.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe
904	revyw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2420	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	30
PID 2580 wrote to memory of 2420	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	30
PID 2580 wrote to memory of 2420	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	30
PID 2580 wrote to memory of 2420	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	30
PID 2580 wrote to memory of 2100	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	31
PID 2580 wrote to memory of 2100	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	31
PID 2580 wrote to memory of 2100	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	31
PID 2580 wrote to memory of 2100	2580	a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe	31
PID 2420 wrote to memory of 904	2420	jejyi.exe	34
PID 2420 wrote to memory of 904	2420	jejyi.exe	34
PID 2420 wrote to memory of 904	2420	jejyi.exe	34
PID 2420 wrote to memory of 904	2420	jejyi.exe	34

C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
"C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\jejyi.exe
  "C:\Users\Admin\AppData\Local\Temp\jejyi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\revyw.exe
    "C:\Users\Admin\AppData\Local\Temp\revyw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
60e4d1fa0a5f55d23210decdc0f162a5

SHA1
a630e36890646fee7f3b15f5dacfd55c23c5f9d8

SHA256
e44239c7f1b3e778b0f68db156f50ce12ec49d2577f64e5074adb99cea3e2a92

SHA512
374c3ede5b309fbfbc54440d3b8b0d4d2099eaedab19aeb1789990d4584a01eb7d30adb955aedaa0ed52fe4e213884cc290a3dcf79fc234771994a1086179659

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
262ef18845f3a44e3d87383ada4c8cd8

SHA1
e49afe1a6457232d4e80ee1ef9b7c3cbd805902f

SHA256
71616c3d80f1011877210ddae563c1e3aab6f5a1cf74929718699deb0fa2fbb7

SHA512
7ce769f1355d6e3171c134be5e8e46724b4791800d58de06f795687ddacea6eb4603bdfea8426104c9d104b63124b9c66ba174fc6efc1a7db8e43034f8f00de1

Download Submit
\Users\Admin\AppData\Local\Temp\jejyi.exe

Filesize
331KB

MD5
8243083c869e1744651f79e8c6aa4f3d

SHA1
80a0334044c9c8ccdb928a39e9ba62ac80f02081

SHA256
2deb5a19bbbfc47e3bc7044a33fd0dfe59002b788c0ab3f56377155a62181392

SHA512
205798052ec2fabac9b22006ea3083a660508a58e26f2955269de5e21c0edc3017c6952893f13a6a1805e7a52125327776dc5ad707a83563b5f0d85f97ba509a

Download Submit
\Users\Admin\AppData\Local\Temp\revyw.exe

Filesize
172KB

MD5
c808bfdb1ef33dfeac96671c9b709376

SHA1
835ac6d64284024f96722bbacf8bc5c59ec2bf15

SHA256
2fd0e747bf278c5097804728da935b3885bdde8f33e3ba020aa172f516a5b410

SHA512
63cade58e0d4040ffeef82329fe36ce10461e1171ac47cc80952a5e1ead4124eef300b4c1985eb91efca7d392fc01e7143b395b75c143b041607c71b8c7a38ed

Download Submit
memory/904-48-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/904-47-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/904-43-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/904-42-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/2420-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2420-23-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/2420-41-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/2420-18-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/2420-39-0x0000000003290000-0x0000000003329000-memory.dmp

Filesize
612KB

Download
memory/2420-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-19-0x00000000009D0000-0x0000000000A51000-memory.dmp

Filesize
516KB

Download
memory/2580-0-0x00000000009D0000-0x0000000000A51000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing