urelas | 228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799

General

Target

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Size

331KB
MD5

b2b46805c6d9040e35b03cbcc2291570
SHA1

1f8c09742e89bc1920b0996382875069a2699ed7
SHA256

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799
SHA512

05b4587e1e080bafc8d6b1c5f373273e0601d9e73fcf20ad33c19721e1cee1b89b3ea57081e301adac512b9140a2ea3b088b4ccfa176ae627d0823e4b9413580
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVH:vHW138/iXWlK885rKlGSekcj66ciEH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	viifo.exe
908	hikii.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
2308	viifo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hikii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe
908	hikii.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2308	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2516 wrote to memory of 2308	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2516 wrote to memory of 2308	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2516 wrote to memory of 2308	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	30
PID 2516 wrote to memory of 2948	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	31
PID 2516 wrote to memory of 2948	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	31
PID 2516 wrote to memory of 2948	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	31
PID 2516 wrote to memory of 2948	2516	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	31
PID 2308 wrote to memory of 908	2308	viifo.exe	34
PID 2308 wrote to memory of 908	2308	viifo.exe	34
PID 2308 wrote to memory of 908	2308	viifo.exe	34
PID 2308 wrote to memory of 908	2308	viifo.exe	34

C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
"C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\viifo.exe
  "C:\Users\Admin\AppData\Local\Temp\viifo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\hikii.exe
    "C:\Users\Admin\AppData\Local\Temp\hikii.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
321fde60b66c64c4701cb5b752f9d577

SHA1
217bdea5ccb5a394cf3da4f6147192343f9e6dbd

SHA256
4ebdee2fa534f770db37aca411d0ef97cd23540daf2f6fd39b4b73839571156a

SHA512
75036d7a7aac9e4a51335c3901ba5157701ba8f0b81264c050cecabb73185643cf6f71545d4683413b88fcd794d666805655251584c5aa89eac76cf6294c833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aef6cc254d8d2686d80db65c8e707dca

SHA1
9a3bedcdc1cd767771533eca12152a81363681d3

SHA256
29b6ae17625bb9a061f337122446be381e4b1b0c261bf765972fa0b3ce5c737c

SHA512
4593ec260667e4f90b94fa0a6e26299bea0dfc2a6296158c3e02bff6c3f0edfcd6e2c74fec6e48bf31eb3c51e2e693fbfb58411c195752a4cfa6f26f0cd317f5

Download Submit
\Users\Admin\AppData\Local\Temp\hikii.exe

Filesize
172KB

MD5
fe339ea3a37ad7f13f01a8518dd4dee9

SHA1
79714b07e6c533a225655e2d7f074be113a882ff

SHA256
89d18ae624be7da131e96f0845cfa9e6ded47f8841ac9603e7fdaa745bdc9ff7

SHA512
f37d07bc1cfaeb3abb5e948576e614c1e894ce798a39c3fe05bcd944f5c1fba53f3d5ddad3afc9edd8911346d5880a0c4cb199e3231bffaff6c4f2e50a0ceb02

Download Submit
\Users\Admin\AppData\Local\Temp\viifo.exe

Filesize
331KB

MD5
b9968930c238c9285890c0533dcf672c

SHA1
e013787f0f6892d301bcfdbbdffee76695f25747

SHA256
dc675fd5433104b06a4305908abf02c3422f97489bcba14e73ec2934e7efe295

SHA512
6780d3817ea4b9087bd747e5f3bca95d970cc681c6b9e6deee71fb42d3cf2601da89df45585c027a846e32dcfdb771f3fe9d6fcc4fbca29e8b7be62579c498f3

Download Submit
memory/908-49-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download
memory/908-48-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download
memory/908-46-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download
memory/908-43-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download
memory/2308-18-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/2308-24-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/2308-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2308-38-0x0000000003C70000-0x0000000003D09000-memory.dmp

Filesize
612KB

Download
memory/2308-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2308-41-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/2516-20-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/2516-16-0x0000000002C40000-0x0000000002CC1000-memory.dmp

Filesize
516KB

Download
memory/2516-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2516-0-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing