urelas | bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342

General

Target

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Size

332KB
MD5

a802406b8f20f3c1120794c61e6ea080
SHA1

1a6bebbfbe96c6a8dfb577f89032caa18413e6ed
SHA256

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342
SHA512

ff3617fa3ac161512fc3e13d75cc77542a5f0976a0d2583b336578e309c7c6fdb07f3c6f711410ad38e1fa8182dde94ca4490de70ec66937f114146c46631004
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVC:vHW138/iXWlK885rKlGSekcj66ciEC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
284	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2916	kaxid.exe
2392	munes.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
2916	kaxid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaxid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	munes.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe
2392	munes.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2916	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	30
PID 2316 wrote to memory of 2916	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	30
PID 2316 wrote to memory of 2916	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	30
PID 2316 wrote to memory of 2916	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	30
PID 2316 wrote to memory of 284	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 2316 wrote to memory of 284	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 2316 wrote to memory of 284	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 2316 wrote to memory of 284	2316	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	31
PID 2916 wrote to memory of 2392	2916	kaxid.exe	34
PID 2916 wrote to memory of 2392	2916	kaxid.exe	34
PID 2916 wrote to memory of 2392	2916	kaxid.exe	34
PID 2916 wrote to memory of 2392	2916	kaxid.exe	34

C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
"C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\kaxid.exe
  "C:\Users\Admin\AppData\Local\Temp\kaxid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\munes.exe
    "C:\Users\Admin\AppData\Local\Temp\munes.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f97f8213a4f0d7fa17839b84e35f1359

SHA1
158608023d066718130cba51f540f9719d6e0d1c

SHA256
cb262acda89e1b82055d31a120fb3b36e8908cd6db0d135b1ca6193b0a0a68ed

SHA512
40d61ddd719878c163d3d19e3002dffa454401082bc502971e5c02c92d335a330d6c1f44f58907f4f0367b35cd20f4840c924497962c74e4df39544ac0fe578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ba17bc23d698457b1863ba1472b01397

SHA1
8311666ff3cbf43dcd7fbfed0f9e14dbefd20888

SHA256
572ec8d03c92c196e418a9fc33953bbf6454459f114b24aae23aef15ece5d92a

SHA512
6e04aa3cf5d615a082e6369c9822d9d095017aa3fa25a755e20e829af4d1d1e8f6523042a13cdf3f5b88cd23063484743cc4ba3d99e7e1a39199ed8fb4654eb9

Download Submit
\Users\Admin\AppData\Local\Temp\kaxid.exe

Filesize
332KB

MD5
4621da8153cb70b20c715ef86e285c04

SHA1
11bcf9ec09a5352d9720e7771c106dadd183c329

SHA256
2376a576e9b5b714ce16d00957cc184bfef084a7f6f0b97f07b8d9a75e0a42a6

SHA512
b4c792db00e70dca0ee0e90e1f693d71af78b6b5ace7f028043056577f122b1bbe8f449121d03840d9067f482b89a3110a8532ec5683959bd64ee34771dce45c

Download Submit
\Users\Admin\AppData\Local\Temp\munes.exe

Filesize
172KB

MD5
842ecca1606583c5703f1d51e1dc0bbb

SHA1
c679eb57bcc72706d0dfe75eb632b640a9a1b0ba

SHA256
1be77dc49b7e303ef3d255954b3c7fbca6c65ade45b58aa3ba9c81e7700eb328

SHA512
2d50e05bd17a85c8e76a6607f9f55e4d80fc0971a5677a8c906b922a2ebc3db5193928050c14ac0cf14e1c78b95a13639264531bec445f29446c5174b5ac549b

Download Submit
memory/2316-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2316-0-0x00000000010C0000-0x0000000001141000-memory.dmp

Filesize
516KB

Download
memory/2316-19-0x00000000010C0000-0x0000000001141000-memory.dmp

Filesize
516KB

Download
memory/2392-40-0x0000000000810000-0x00000000008A9000-memory.dmp

Filesize
612KB

Download
memory/2392-46-0x0000000000810000-0x00000000008A9000-memory.dmp

Filesize
612KB

Download
memory/2392-45-0x0000000000810000-0x00000000008A9000-memory.dmp

Filesize
612KB

Download
memory/2392-41-0x0000000000810000-0x00000000008A9000-memory.dmp

Filesize
612KB

Download
memory/2916-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2916-39-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2916-36-0x00000000032D0000-0x0000000003369000-memory.dmp

Filesize
612KB

Download
memory/2916-22-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2916-10-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing