urelas | a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656

General

Target

a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe
Size

332KB
MD5

15afd1051690f222902f2f8b7a09c340
SHA1

3f61678e08e132620d6051dfd9b53ebb072d413e
SHA256

a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656
SHA512

a1f95390e52cc97b7ff3e6e9fb24577bc4190a3e6837b8d8ee28ed5801782dbe723b5d9d9e1e8d776fa7dc16d443d44646d90cea7751b218f1723c8bf30482f8
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYW:vHW138/iXWlK885rKlGSekcj66ciX

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	lyajl.exe
532	ketow.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe
2628	lyajl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ketow.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe
532	ketow.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2628	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	31
PID 2748 wrote to memory of 2628	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	31
PID 2748 wrote to memory of 2628	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	31
PID 2748 wrote to memory of 2628	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	31
PID 2748 wrote to memory of 2740	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	32
PID 2748 wrote to memory of 2740	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	32
PID 2748 wrote to memory of 2740	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	32
PID 2748 wrote to memory of 2740	2748	a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe	32
PID 2628 wrote to memory of 532	2628	lyajl.exe	35
PID 2628 wrote to memory of 532	2628	lyajl.exe	35
PID 2628 wrote to memory of 532	2628	lyajl.exe	35
PID 2628 wrote to memory of 532	2628	lyajl.exe	35

C:\Users\Admin\AppData\Local\Temp\a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe
"C:\Users\Admin\AppData\Local\Temp\a22fc411797fbf3e7c20f7ba4ce20e764d1b5402e9774dce6a8c835e329f5656N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\lyajl.exe
  "C:\Users\Admin\AppData\Local\Temp\lyajl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\ketow.exe
    "C:\Users\Admin\AppData\Local\Temp\ketow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e5d4eb9ffc92f3ea80a72f698cbe544d

SHA1
b3400d7f5c96df17248a5880a4f0f1586534f344

SHA256
2b7a84315a440efa9d8ee5fab3ceca33c8a323f8e7bd90de9d596183ab22ee1c

SHA512
acd93355dbf8d2d78139aa87df9e194a665a059b74258caac2aadf2692b753355998213561f9edab3a9d694c3dc21bb90d165bdad558ffc86e18057dc5f620a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
949d0e0c4ec0b47c86126fd08ab531b7

SHA1
9ae3ee33299ed0fde40b6d6c783a40a8b42fd358

SHA256
3bb69f03044499adaac864a8018a3789a4ce0c463b5194ae08fe09014bf1358a

SHA512
72c731ab395e4c261a1b104412e4e407a6ed51753add705b755c9b26d7dc22bbe9ee9cd7027ee69c8deeca2e6e859be90cc1ac8752581aaa2e5c4949b2b49c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ketow.exe

Filesize
172KB

MD5
4b7ee2c9531f81270137083fcd8b609e

SHA1
0331ef2e0a6f9ee3fb17f3fa46e2c42b39df377a

SHA256
3b9c401c9dbf6e5d74efed0bb78aabc97af51501aa3ec5069688b488e92d8725

SHA512
e6b1a2bc8403991e6b1714dbd5dd4450ed873259e4ea5f53c40b65c29c1017982ffa0f1aa9d4c852935154c9bb3ba7fe463c332512f08a771ee78dc7f94c143f

Download Submit
\Users\Admin\AppData\Local\Temp\lyajl.exe

Filesize
332KB

MD5
0b40b6eeb96493b0cb116366e280b2c2

SHA1
4551105286aeaf7c89f7bdc1c2d9de4edb99cb00

SHA256
9e25baa31cb24efe1b43fe48d0f754f1df1942048b7cc8f19661752d063f148d

SHA512
5f81ceb348d83133eed0c1d717af1a0a558b04affcc01995eb116f1f4db9be08fee896f4a539215f95e3efbbe3f8f022f177cc125e1e62e23ff0d4e9ea779fc7

Download Submit
memory/532-49-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/532-48-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/532-43-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/532-46-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/2628-24-0x0000000000020000-0x00000000000A1000-memory.dmp

Filesize
516KB

Download
memory/2628-40-0x0000000003120000-0x00000000031B9000-memory.dmp

Filesize
612KB

Download
memory/2628-18-0x0000000000020000-0x00000000000A1000-memory.dmp

Filesize
516KB

Download
memory/2628-42-0x0000000000020000-0x00000000000A1000-memory.dmp

Filesize
516KB

Download
memory/2628-20-0x0000000000020000-0x00000000000A1000-memory.dmp

Filesize
516KB

Download
memory/2748-21-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/2748-17-0x0000000002020000-0x00000000020A1000-memory.dmp

Filesize
516KB

Download
memory/2748-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2748-0-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing