urelas | 18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6e

General

Target

18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe
Size

330KB
MD5

93c05be67338e51fb8a6f6738d2eaa30
SHA1

644c1f54f0afc898d573a9c695315d41521ca2f7
SHA256

18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6e
SHA512

6613d309fe595913fc1fb9bdd98f8faff4eaaaacb9384247cb4d70ec3e198f56f2fe1c360732143ea96d846e345c7c5f7e95186e9da3251a938e7cc06c040253
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYy:vHW138/iXWlK885rKlGSekcj66civ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2296	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

govid.exezuwyr.exe

pid	Process
2360	govid.exe
1948	zuwyr.exe

Loads dropped DLL 2 IoCs

Processes:

18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exegovid.exe

pid	Process
3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe
2360	govid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exegovid.execmd.exezuwyr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	govid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuwyr.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

zuwyr.exe

pid	Process
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe
1948	zuwyr.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exegovid.exe

description	pid	Process	procid_target
PID 3008 wrote to memory of 2360	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	30
PID 3008 wrote to memory of 2360	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	30
PID 3008 wrote to memory of 2360	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	30
PID 3008 wrote to memory of 2360	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	30
PID 3008 wrote to memory of 2296	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	31
PID 3008 wrote to memory of 2296	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	31
PID 3008 wrote to memory of 2296	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	31
PID 3008 wrote to memory of 2296	3008	18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe	31
PID 2360 wrote to memory of 1948	2360	govid.exe	34
PID 2360 wrote to memory of 1948	2360	govid.exe	34
PID 2360 wrote to memory of 1948	2360	govid.exe	34
PID 2360 wrote to memory of 1948	2360	govid.exe	34

C:\Users\Admin\AppData\Local\Temp\18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe
"C:\Users\Admin\AppData\Local\Temp\18f265def262ac26d5b2ebd715d130ad7acd53a447d53ed06f4d17361c70ba6eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\govid.exe
  "C:\Users\Admin\AppData\Local\Temp\govid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\zuwyr.exe
    "C:\Users\Admin\AppData\Local\Temp\zuwyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
afdb0746d79f58f55f31ffbfccc768d9

SHA1
e70b0575cc9120c220d35ffa56d2a63d6f9c9bea

SHA256
f46504801dbea9e2cb51cb3a21c80c0df2fe316d90fd66a56113019a10f8dd13

SHA512
399d5a3e4654364ade9971a599d902badbbf85f9cf356743bd39616707051db55045bc6762a1234ca209fce70e217cf125e54d5b37f4646457c6b0efe84d7ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e18c2315429ca04baf626a141b359f39

SHA1
9feda971672ef02f85945219acb7dd31f97dfbc8

SHA256
f336ab9b2e6b719803042750e10a9024a7dd51e8089e476ed10dd31abe614a85

SHA512
f5d277b81bd937d9452db30fd4d2994ae557a2632be504f91ca6295df223a4b727e3456d0335ad7a2b30e1143dff38d3eaf74b60c1446de5b678180812cd94e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuwyr.exe

Filesize
172KB

MD5
cfabe9a04a65911a44dbc7da2f13abeb

SHA1
471ac533601f67b984b39744dd74a0a1d342f4c7

SHA256
ad4c500ffb1a62f3dbdc1e388cfc8373fc4a4b1668e1450ccd8bac405de095de

SHA512
6811f35bc3d89d4fa862c7ce084308ab80fb76abfa64b6ce2f88aae4fb74819bd5bf79b06447b24186c4623399b020ccec396fc875f85ba56c5b5a37d2089e4d

Download Submit
\Users\Admin\AppData\Local\Temp\govid.exe

Filesize
330KB

MD5
7aaed2c3a6d19ded826e35d0df6a1e32

SHA1
2c2e038fb91433c0c89548e879f9e7cbe187ee35

SHA256
5e4e59e66efc10294eb3f02a05de4b8d3cbfdb890baed12c6eccd9e8773e6cfd

SHA512
dca8a980bb47077ef98f9e136e04d571109cdc63472b1054d328999a38a7f0795a590574cdf20422e7c64e4be59c68f813872c270ec968f501a8702c9699ba1f

Download Submit
memory/1948-42-0x0000000001230000-0x00000000012C9000-memory.dmp

Filesize
612KB

Download
memory/1948-41-0x0000000001230000-0x00000000012C9000-memory.dmp

Filesize
612KB

Download
memory/1948-46-0x0000000001230000-0x00000000012C9000-memory.dmp

Filesize
612KB

Download
memory/1948-47-0x0000000001230000-0x00000000012C9000-memory.dmp

Filesize
612KB

Download
memory/2360-17-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/2360-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2360-24-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/2360-39-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/3008-21-0x00000000010A0000-0x0000000001121000-memory.dmp

Filesize
516KB

Download
memory/3008-6-0x0000000002C00000-0x0000000002C81000-memory.dmp

Filesize
516KB

Download
memory/3008-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3008-0-0x00000000010A0000-0x0000000001121000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads