urelas | a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429

General

Target

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe
Size

332KB
MD5

926d44f877c6b8877309b7dc186c5650
SHA1

d21eb91f9d20bb0d3a3ccd5edd4dd48d900a54df
SHA256

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429
SHA512

486b60f8b1ee93f7b52f8f911e4284b7c384a23a68e4736d5fd6b9dd97c1be5cae23f24fce95f11c98e954bfb029ef55d84bab57dcc9fbbeda6a61e4b6548fc2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVO:vHW138/iXWlK885rKlGSekcj66ciEO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1800 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

nisyg.exemieta.exe

pid process

2848 nisyg.exe
1264 mieta.exe
Loads dropped DLL 2 IoCs

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exenisyg.exe

pid process

2400 a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe
2848 nisyg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1800	cmd.exe

pid	process
2848	nisyg.exe
1264	mieta.exe

pid	process
2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe
2848	nisyg.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exenisyg.execmd.exemieta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nisyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mieta.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

mieta.exe

pid	process
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe
1264	mieta.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exenisyg.exe

description	pid	process	target process
PID 2400 wrote to memory of 2848	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	nisyg.exe
PID 2400 wrote to memory of 2848	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	nisyg.exe
PID 2400 wrote to memory of 2848	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	nisyg.exe
PID 2400 wrote to memory of 2848	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	nisyg.exe
PID 2400 wrote to memory of 1800	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	cmd.exe
PID 2400 wrote to memory of 1800	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	cmd.exe
PID 2400 wrote to memory of 1800	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	cmd.exe
PID 2400 wrote to memory of 1800	2400	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe	cmd.exe
PID 2848 wrote to memory of 1264	2848	nisyg.exe	mieta.exe
PID 2848 wrote to memory of 1264	2848	nisyg.exe	mieta.exe
PID 2848 wrote to memory of 1264	2848	nisyg.exe	mieta.exe
PID 2848 wrote to memory of 1264	2848	nisyg.exe	mieta.exe

C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe
"C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\nisyg.exe
  "C:\Users\Admin\AppData\Local\Temp\nisyg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\mieta.exe
    "C:\Users\Admin\AppData\Local\Temp\mieta.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
50cdf9e4b573a86d4510dec0488fd72e

SHA1
24b5ae9f6b068455895b878569eabbcdd113a0bb

SHA256
2eb2fe28da4522c3f19a396b64cf2fcf1c9d3c242a60b7beb332abc2a2a57ef1

SHA512
d8e3fe0c00f225698bc8bea1184466552f46a26b1d8ad31ff968d5b64afb0c3e4aa43d8c8677a058272f3cf90c942f7d380452f1b11b8a177efca92a13e55b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
751769e759df86757d9dcfb160510b8c

SHA1
5ded987adf9819addef48714490b24c054569333

SHA256
a8187dec083c5e113bbc43cf78ace6d695dc648dbf6860a8cd84e4b38adb78b1

SHA512
fabb9852a930ff58e80e83e119860ecc43608dd7d963165ddee9ed6857f9131cda63f6f49311185d9545632ce5c18ad202641a6de7bcb221c78df804bc519be9

Download Submit
\Users\Admin\AppData\Local\Temp\mieta.exe

Filesize
172KB

MD5
9712a1f16c2ba7fe8a24ee7b87814f65

SHA1
baf639109c60fdbe2a6ee88cf6a98b187a6e387b

SHA256
11d5ca99e6d353cededfb78e4bf62774f192e4e3e6967c752363d4595699a8ee

SHA512
5de76000c5a5f7b035e8d74598ed6b20ed8a8d1029d42773ddff9d1b28e9dba56893ca5260291df415dadf2e0fe4fd11374225dd2c5d8ca66d660fe44038bdb7

Download Submit
\Users\Admin\AppData\Local\Temp\nisyg.exe

Filesize
332KB

MD5
00bf845ac74bbaf5706ee72788276189

SHA1
62def7cd9c9c0654348efa2ec282e3daa203b02b

SHA256
4dc6e9e2dcd569ea9b4d36ca61e885a2c858d311ed7e23b76afda0c9c71e43da

SHA512
d48673be8ae2d00fce79f83679613167232400413cafe2c0d798ea605fc5203bbf1cb23694e26db620d779bf072c139af8d87beb088b11f3b8b3407b9314347f

Download Submit
memory/1264-40-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/1264-49-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/1264-48-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/1264-47-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/1264-46-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/1264-45-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/1264-41-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/2400-9-0x00000000025F0000-0x0000000002671000-memory.dmp

Filesize
516KB

Download
memory/2400-18-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/2400-0-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/2400-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2848-38-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/2848-23-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/2848-19-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/2848-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads