urelas | c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1

General

Target

c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
Size

333KB
MD5

b73a1d20ba44fc157c979919730d53b0
SHA1

68decb89026da30677cb4a15bfc06fd6731fcc43
SHA256

c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1
SHA512

885e5a1a60ea24c48a0532833c7c0254665d119c53dfc6ede7c929cbf408450235ba9bc295e0eb8e26ec0587c414795c061288bab0d51a5aa4237925e9e09c08
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9D:vHW138/iXWlK885rKlGSekcj66ciWD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	jedyf.exe
3068	wunia.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
2748	jedyf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jedyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wunia.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe
3068	wunia.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2748	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 2172 wrote to memory of 2748	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 2172 wrote to memory of 2748	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 2172 wrote to memory of 2748	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	30
PID 2172 wrote to memory of 2756	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 2172 wrote to memory of 2756	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 2172 wrote to memory of 2756	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 2172 wrote to memory of 2756	2172	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	31
PID 2748 wrote to memory of 3068	2748	jedyf.exe	33
PID 2748 wrote to memory of 3068	2748	jedyf.exe	33
PID 2748 wrote to memory of 3068	2748	jedyf.exe	33
PID 2748 wrote to memory of 3068	2748	jedyf.exe	33

C:\Users\Admin\AppData\Local\Temp\c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
"C:\Users\Admin\AppData\Local\Temp\c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\jedyf.exe
  "C:\Users\Admin\AppData\Local\Temp\jedyf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\wunia.exe
    "C:\Users\Admin\AppData\Local\Temp\wunia.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
c326a90cd16d97acc9229102e6666204

SHA1
93c2b71d8d210da2c5cd2ea5b147eba0cad85022

SHA256
887a78279680dece945f2b3f1f84e4e071a035b5d3be545b22b87d272c1f8d5b

SHA512
f7a3401e4684c1f1fb50ee2265dcd21dd952f11c2b9149362f5f9f4ce1c8cc6c227e284d373a79294dc6c4abf03dd31d1dfed7e5bba99ac2a2655cd829343a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ecdba94c2b8b0353b39dc281164718b3

SHA1
cbd1f23edc87b78b0cc610efee2a87117a1447ab

SHA256
ab68d422b9d2ee43990dc9b521afde05ac430ec666f7a9649af909d7a7d0f405

SHA512
82c521cb417d8902eaa31f17f800b34efea1e74513bd203b03eea14aba8d883aad83cb9fd24cd3f0f0a106b8e183ae89ee5a1e8c640d0435dcb5b299141ec913

Download Submit
\Users\Admin\AppData\Local\Temp\jedyf.exe

Filesize
333KB

MD5
bbb6b506a5b4efd9e5bf87217cba5b06

SHA1
283d1dea867317f74f95cbe08a03b916d79553e9

SHA256
0a66109f1f6432e8356f751146f7ef39c66b7766c4366865283a64163a07bc87

SHA512
6a373724337ed40d561e09a66ba5b192aad660ee9ab72305317e69f83ac8b384760e1670283ce3794511afbc1ac7c429b4e44dd2c71b4857462b9e197ada00a7

Download Submit
\Users\Admin\AppData\Local\Temp\wunia.exe

Filesize
172KB

MD5
12ddcf62cdd9012f2373336315af17f2

SHA1
f3418f56970650889cebe75c7c627edfaedd2cf2

SHA256
d3dd2422d630ce3e61ca73f4395ea666eec567391baf6f64fd81e3a643d13239

SHA512
d1ea7dbf43450b164130baecdbd220ba0b9d12cd0525b090da14daff6ae70e8a494fd2b364c0a1a116d6fa47104618bb9c976d5808ae2ada619bbfd8a260686a

Download Submit
memory/2172-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2172-0-0x00000000011B0000-0x0000000001231000-memory.dmp

Filesize
516KB

Download
memory/2172-9-0x0000000002C70000-0x0000000002CF1000-memory.dmp

Filesize
516KB

Download
memory/2172-21-0x00000000011B0000-0x0000000001231000-memory.dmp

Filesize
516KB

Download
memory/2748-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2748-11-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2748-24-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2748-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2748-42-0x00000000036E0000-0x0000000003779000-memory.dmp

Filesize
612KB

Download
memory/2748-41-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/3068-45-0x0000000000EF0000-0x0000000000F89000-memory.dmp

Filesize
612KB

Download
memory/3068-43-0x0000000000EF0000-0x0000000000F89000-memory.dmp

Filesize
612KB

Download
memory/3068-48-0x0000000000EF0000-0x0000000000F89000-memory.dmp

Filesize
612KB

Download
memory/3068-49-0x0000000000EF0000-0x0000000000F89000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing