urelas | 378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995

General

Target

378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe
Size

324KB
MD5

597949f45a51a183b2cb794f4ebe2f60
SHA1

ca85370e47fbfa1424d4ab7e89e0286a68a41fa8
SHA256

378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995
SHA512

7240a58c3330b87d094727e4f87bd52929ac86f4444cbf54ee006003d8a3a0b1e82da754b08a9e43cabf030a03ffca14d7bbfe3979b6d14036fd65faf6c55345
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYH:vHW138/iXWlK885rKlGSekcj66cie

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2580	azucs.exe
1304	ujjeu.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe
2580	azucs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azucs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujjeu.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe
1304	ujjeu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2580	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	30
PID 2140 wrote to memory of 2580	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	30
PID 2140 wrote to memory of 2580	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	30
PID 2140 wrote to memory of 2580	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	30
PID 2140 wrote to memory of 2728	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	31
PID 2140 wrote to memory of 2728	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	31
PID 2140 wrote to memory of 2728	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	31
PID 2140 wrote to memory of 2728	2140	378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe	31
PID 2580 wrote to memory of 1304	2580	azucs.exe	34
PID 2580 wrote to memory of 1304	2580	azucs.exe	34
PID 2580 wrote to memory of 1304	2580	azucs.exe	34
PID 2580 wrote to memory of 1304	2580	azucs.exe	34

C:\Users\Admin\AppData\Local\Temp\378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe
"C:\Users\Admin\AppData\Local\Temp\378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\azucs.exe
  "C:\Users\Admin\AppData\Local\Temp\azucs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\ujjeu.exe
    "C:\Users\Admin\AppData\Local\Temp\ujjeu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f024ff3914b6b0332f680b1ce48381ee

SHA1
a9d8778af0e9432b9a60c42a4a2361821cbf9ae6

SHA256
f695fd7e7034d15c2d20c017d84498e7536e197251837cbb01b221f7303be1ea

SHA512
886649c57d62c9472016164f3cedc942efa81e2930beb14001e1a215a13070d105b3a0d73f2a6aface167142aa5a675008f42f684ebae0859bb912897949a0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cc16a3f4452183b9ebbed134c816bdd3

SHA1
788bb12871346ecea14d51faea8bf9fea3fa3790

SHA256
37a8394a71ee574473e387dcc0d35f0ed36fea9f7d4906710df174498df92da0

SHA512
52b7d223434e58c5e435a5bc2547b884939985c3cd4ce84859a1f788d235c68c64248f6a5cb04deb00c54ec5b0489394fcfb49594a93b3ac274925dd8193cc58

Download Submit
\Users\Admin\AppData\Local\Temp\azucs.exe

Filesize
324KB

MD5
1d3251152eb4521611df6fea28e93559

SHA1
e65e402d84eaae8a2a3ccaa26ebf51c8c507189a

SHA256
cc6d0b0de5b594d8d82d78134c2d0c491a87159763f4723c0983a69146e8c679

SHA512
b5a21e46207b552c7463020cf8b5421ef36ac92d22fa1dd188775ea1868b72d88ee64931a0155d1a1089e99f9ebdb65d55daaa6369faef2c882c869fa6183c5d

Download Submit
\Users\Admin\AppData\Local\Temp\ujjeu.exe

Filesize
172KB

MD5
3923ae0dedf2f4e390aca41302e4829f

SHA1
4591a417f3cbda396b161c70abe921e78645b430

SHA256
e1e280cf1c58ed8fc4a6444e89c1082fc80c92314c423b8daf74332af8bf98a1

SHA512
bcec37acdf9add1fecfdadcb951ae3a23e9518bd55fa8465bb30799a21371fb39fe565bd06c9ab271b52036af6ef36bd565ff46eb23cf81df4d5d460e7cf2f2f

Download Submit
memory/1304-42-0x0000000000960000-0x00000000009F9000-memory.dmp

Filesize
612KB

Download
memory/1304-48-0x0000000000960000-0x00000000009F9000-memory.dmp

Filesize
612KB

Download
memory/1304-47-0x0000000000960000-0x00000000009F9000-memory.dmp

Filesize
612KB

Download
memory/1304-45-0x0000000000960000-0x00000000009F9000-memory.dmp

Filesize
612KB

Download
memory/2140-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2140-20-0x0000000000CA0000-0x0000000000D21000-memory.dmp

Filesize
516KB

Download
memory/2140-9-0x0000000002400000-0x0000000002481000-memory.dmp

Filesize
516KB

Download
memory/2140-0-0x0000000000CA0000-0x0000000000D21000-memory.dmp

Filesize
516KB

Download
memory/2580-10-0x00000000003F0000-0x0000000000471000-memory.dmp

Filesize
516KB

Download
memory/2580-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-41-0x00000000003F0000-0x0000000000471000-memory.dmp

Filesize
516KB

Download
memory/2580-39-0x0000000003D70000-0x0000000003E09000-memory.dmp

Filesize
612KB

Download
memory/2580-23-0x00000000003F0000-0x0000000000471000-memory.dmp

Filesize
516KB

Download
memory/2580-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing