urelas | 96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572

General

Target

96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe
Size

330KB
MD5

3a68bb128a59328497ab1547eb478530
SHA1

8f7a15df1faeb57364891133ea4f8c2f60cc70ac
SHA256

96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572
SHA512

e541c19ea0d9ed197fdda2b5e6dd08bc3ac8464cce5bcfd09a20aecbada77d4ce77235c954fefcb7388ffc03d99e6ae458b33181991f321d24e9eee17379c083
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ci5

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2340	awnif.exe
868	jezic.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe
2340	awnif.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awnif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jezic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe
868	jezic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2340	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	31
PID 2372 wrote to memory of 2340	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	31
PID 2372 wrote to memory of 2340	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	31
PID 2372 wrote to memory of 2340	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	31
PID 2372 wrote to memory of 2208	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	32
PID 2372 wrote to memory of 2208	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	32
PID 2372 wrote to memory of 2208	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	32
PID 2372 wrote to memory of 2208	2372	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	32
PID 2340 wrote to memory of 868	2340	awnif.exe	35
PID 2340 wrote to memory of 868	2340	awnif.exe	35
PID 2340 wrote to memory of 868	2340	awnif.exe	35
PID 2340 wrote to memory of 868	2340	awnif.exe	35

C:\Users\Admin\AppData\Local\Temp\96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe
"C:\Users\Admin\AppData\Local\Temp\96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\awnif.exe
  "C:\Users\Admin\AppData\Local\Temp\awnif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\jezic.exe
    "C:\Users\Admin\AppData\Local\Temp\jezic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
1eb7fb2f6d51781cbb64618cfe44e24c

SHA1
27b0a5a7553cb041c7e778c52ba30eb9db303568

SHA256
05c50aeed3beeded204e96b1caee8f4689cba6b6bf95607a35b602ed30a4b3ea

SHA512
4889a3f74f464b471825c27f39b74294d2548c7eb08cfb841a44f04e2cd456953d2d6396bd6457bf246983c20b6865330a8f88bfcd97d4f79770e8189d8dae42

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
be9f1e795d8e1ab9c727798362e22dcf

SHA1
416fa00514a9abdd255099c509429717c636cde1

SHA256
7a8fdf94532c4b9d267160de8911c64c6c1f7fd140fdbd5b168ab927bdc4483e

SHA512
847b89dfcca3a61f94883cda8295c37a5694d8f82c7ab7f963639be900da234b23e28fe20453dcecb5d0837177bbb0b46fd5dd589da7d5779d0dc1305be7d0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jezic.exe

Filesize
172KB

MD5
285bf3b79b0e8aa2e43fb7b02ff8a515

SHA1
775407f9235a3357afb41139d5b491e62d16e9ca

SHA256
313d931c604d3fe1166ebddaa6c63c61c7c0195a2126b9347140b26458482ab3

SHA512
2df702476a98647ec50dd8d38d810bddf5c4be92ba547f9ea891a0505129841a0c1e7142ccbe392baf75eb413ea7da4462ba5be8d0c2637b1b2025deda32bd3c

Download Submit
\Users\Admin\AppData\Local\Temp\awnif.exe

Filesize
331KB

MD5
cd1578587314e3d65c05c6417dcfe296

SHA1
8160422df0a9a5c2a59e96076e2b7e3837708d1c

SHA256
588e99acb0358005abe65b5f8dbc4d5b0c1a6caa8dd6d6a3060a7be0475e57ef

SHA512
dfacee6858ee50959b1106bd7c1e31a3f403ba8f3462a4c99701920e6188be61015a7bee6e014a7f1815fb65ac83053311bc78ac33a684b2960b15c11e50dafc

Download Submit
memory/868-41-0x0000000000190000-0x0000000000229000-memory.dmp

Filesize
612KB

Download
memory/868-47-0x0000000000190000-0x0000000000229000-memory.dmp

Filesize
612KB

Download
memory/868-46-0x0000000000190000-0x0000000000229000-memory.dmp

Filesize
612KB

Download
memory/868-44-0x0000000000190000-0x0000000000229000-memory.dmp

Filesize
612KB

Download
memory/2340-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2340-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2340-23-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/2340-39-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/2372-20-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2372-7-0x0000000001050000-0x00000000010D1000-memory.dmp

Filesize
516KB

Download
memory/2372-0-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2372-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing