urelas | 4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06

General

Target

4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
Size

332KB
MD5

0245c187c3e8aadc222e614423e615d0
SHA1

3a50a9991861ef8dc121fbec4f0bb8667144dd2c
SHA256

4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06
SHA512

60d37fa1e4cf1e6c63e854d328f0d4cf30a01edb9a622c1944320d17080fc05e4ad5c176589038fd8e02ad44fb8df3a060dc4e750c6ab9c9fe87fa5e5ddd110b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVJ:vHW138/iXWlK885rKlGSekcj66ciEJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	pucyd.exe
1764	pyseo.exe

Loads dropped DLL 2 IoCs

pid	Process
880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
2800	pucyd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyseo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pucyd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe
1764	pyseo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2800	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	30
PID 880 wrote to memory of 2800	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	30
PID 880 wrote to memory of 2800	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	30
PID 880 wrote to memory of 2800	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	30
PID 880 wrote to memory of 2720	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	31
PID 880 wrote to memory of 2720	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	31
PID 880 wrote to memory of 2720	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	31
PID 880 wrote to memory of 2720	880	4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe	31
PID 2800 wrote to memory of 1764	2800	pucyd.exe	33
PID 2800 wrote to memory of 1764	2800	pucyd.exe	33
PID 2800 wrote to memory of 1764	2800	pucyd.exe	33
PID 2800 wrote to memory of 1764	2800	pucyd.exe	33

C:\Users\Admin\AppData\Local\Temp\4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe
"C:\Users\Admin\AppData\Local\Temp\4b0346b3390c68f214af1c1b12f9469b871194e2c6d930aa6f1bf7191a13fd06N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\pucyd.exe
  "C:\Users\Admin\AppData\Local\Temp\pucyd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\pyseo.exe
    "C:\Users\Admin\AppData\Local\Temp\pyseo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
35418fff5a9b2d0ece4ab4764a1a49df

SHA1
06f9e4589f21a60a69b4a7301fc4feca2ba4cf94

SHA256
caf07023dafeb35d10556078234a2e81c2d5dac09f456f6ea12cea9102d3f3f6

SHA512
6cc2a57c4591bfea9803aa231734c869c8677d41d26fbff1495a2822a96c518b01873f59b5d23bb7f2dff4f5ff8be8dd6b1d5fe4b825a82371e80d165e1bc1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6c57c46dba3fdbfb4274c5038e8cac43

SHA1
1ca4bd5396dab8e97ffd05e59b6bf8691bdfb490

SHA256
0f2c96083af8e8c2df1cf7dfcb42f7b6d5e52e8b16bc4cd61065f864e4443a34

SHA512
8f2e2a9b5b5b1436f3ee910d0cc1ebe912b84485a711d354feba797eb34471c3bc677c2547b78db1f7032789bbaa4d794c00064ab3b184988477b2f73fd8db81

Download Submit
\Users\Admin\AppData\Local\Temp\pucyd.exe

Filesize
332KB

MD5
45a9e2302b5156360dc978c7e1d9df34

SHA1
0ac60d8b8a256788001983f7d422cc8b00bd0d63

SHA256
35ea2d4874be8e8199aa862931a4bc0143b39588041a52460dd9f765793fd8c8

SHA512
dac105a9b9f072a844d017610455d5c2ace1057388cd4f8e8ed0eb82db2cb153ed5e898216461504048e714cb1723bb3d6b42dac9f2ce34f921cee220ed53460

Download Submit
\Users\Admin\AppData\Local\Temp\pyseo.exe

Filesize
172KB

MD5
ac651cc99b50784c74270e47dc712ad5

SHA1
15f1d4a9ee57184cb61568f53c8b4b0357e17017

SHA256
fa1294f4bdb09c8789c9c9ac4a46454a93b16df7e1b598f7f608fb72420aca1d

SHA512
a2605e988e47e3dceca8e34581d336df439fbac20d51551f373bffd7efffdebd9e046863222bacd74067c29c67a05d778f287d05b04a708e8be16701873f02c0

Download Submit
memory/880-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/880-6-0x0000000002840000-0x00000000028C1000-memory.dmp

Filesize
516KB

Download
memory/880-20-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/880-0-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/1764-42-0x0000000000B70000-0x0000000000C09000-memory.dmp

Filesize
612KB

Download
memory/1764-47-0x0000000000B70000-0x0000000000C09000-memory.dmp

Filesize
612KB

Download
memory/1764-39-0x0000000000B70000-0x0000000000C09000-memory.dmp

Filesize
612KB

Download
memory/1764-46-0x0000000000B70000-0x0000000000C09000-memory.dmp

Filesize
612KB

Download
memory/2800-23-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/2800-41-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/2800-37-0x0000000003FB0000-0x0000000004049000-memory.dmp

Filesize
612KB

Download
memory/2800-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing