urelas | 1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87

General

Target

1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
Size

326KB
MD5

401fb01cbf8ed63e4f454941bf64f360
SHA1

32a11b167faa03799ac791677f1d1a5e4207135a
SHA256

1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87
SHA512

1d1c7a8c3f4cc78a4b728758142478b02c3ca7d00213645ec90afa294328ee151b3ca038c344a17ca936dc8a248cf7c7ccf4895b082a54babeb90b277f05be25
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2216	buxii.exe
2700	keejv.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
2216	buxii.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buxii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keejv.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe
2700	keejv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2216	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	30
PID 3040 wrote to memory of 2216	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	30
PID 3040 wrote to memory of 2216	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	30
PID 3040 wrote to memory of 2216	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	30
PID 3040 wrote to memory of 2836	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	31
PID 3040 wrote to memory of 2836	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	31
PID 3040 wrote to memory of 2836	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	31
PID 3040 wrote to memory of 2836	3040	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	31
PID 2216 wrote to memory of 2700	2216	buxii.exe	34
PID 2216 wrote to memory of 2700	2216	buxii.exe	34
PID 2216 wrote to memory of 2700	2216	buxii.exe	34
PID 2216 wrote to memory of 2700	2216	buxii.exe	34

C:\Users\Admin\AppData\Local\Temp\1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
"C:\Users\Admin\AppData\Local\Temp\1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\buxii.exe
  "C:\Users\Admin\AppData\Local\Temp\buxii.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\keejv.exe
    "C:\Users\Admin\AppData\Local\Temp\keejv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
fede352765fcde66f60f79f42964f276

SHA1
7bd92914c97a5f6b5bf775d3969a4de6a3c6bac7

SHA256
792936da87016727248489d129c9f9b9b502819e65d12df9854e2dea5c706f91

SHA512
3155658751bd7ed1a2f040c5a5c64ec968b12b32b87622f16f4a9276ff0fd65be7ca1c01ea3e7339c46b4c83d0cb25fa71742be80ec65c3b66c84446bb75fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a35a80afd9351ed93f8701f35137f432

SHA1
07f3f21269c80609aa03fd25fcad9dc69df4cd68

SHA256
14a2afa2988f5d894e787732f813a12e8d589f8e7ef8765bba04cae352262aeb

SHA512
24da4262f940108f16e13b680dc7d03e6c64be3dc44213958451e071f75c605c29b0295286b1b000c81499cba5420fd9f5eb23d0e18f1a5d2bf88b73e8816607

Download Submit
\Users\Admin\AppData\Local\Temp\buxii.exe

Filesize
326KB

MD5
177270965750745a4aa1aaedbc1671ae

SHA1
aa76df943a620c23d0555597d7e3ab73706a8854

SHA256
174247ca73cbab4b065be241b827ba9c3135b986a9905a0680430b9fd7f3215e

SHA512
8f9217e2e029727c3f0a14546023d1c7c482d0c2c6f054218704c057577d64d36b14ceb1b95d0032ce5a78cccff7a7e21efe5be5fc10b40ad152126bb30a82f3

Download Submit
\Users\Admin\AppData\Local\Temp\keejv.exe

Filesize
172KB

MD5
39b30e77f01cb0ff185759f4acddb7a3

SHA1
e35111ec20ec43c138119ccb291c86d7d469af54

SHA256
4bde871ecc9e7a0cd5f02e9e072bdf856263619c54166ba4cd4b5d0dd3d31a1d

SHA512
9c70b0a5d0c0715bbff8dd2c4e16a6088cee5144cf1e4bc222055ab5e738972144a7db061053f4630810f1e387d69dae409038fa8a90263989a0925cfbbca7c1

Download Submit
memory/2216-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2216-11-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2216-24-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2216-40-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2216-38-0x00000000031D0000-0x0000000003269000-memory.dmp

Filesize
612KB

Download
memory/2700-42-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/2700-43-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/2700-47-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/2700-48-0x0000000000D20000-0x0000000000DB9000-memory.dmp

Filesize
612KB

Download
memory/3040-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3040-21-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download
memory/3040-9-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3040-0-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing