urelas | 38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5

General

Target

38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
Size

331KB
MD5

30ea5e68559a497f7e2f766c971517c0
SHA1

74b2de3994c6bdd890440e115c5f66c81805eed2
SHA256

38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5
SHA512

72f11c5cd6118b126cb7cd54e103b72a9502d945778014d88cd60d879261a7623784ffd8c79b742223d9a39bf78fc5771fc5e1082be24672a5fe3888f37ce3a0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVT:vHW138/iXWlK885rKlGSekcj66ciET

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2720 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

nunen.exeujpic.exe

pid process

2756 nunen.exe
2956 ujpic.exe
Loads dropped DLL 2 IoCs

Processes:

38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exenunen.exe

pid process

2252 38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
2756 nunen.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2720	cmd.exe

pid	process
2756	nunen.exe
2956	ujpic.exe

pid	process
2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
2756	nunen.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

nunen.execmd.exeujpic.exe38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nunen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujpic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ujpic.exe

pid	process
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe
2956	ujpic.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exenunen.exe

description	pid	process	target process
PID 2252 wrote to memory of 2756	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	nunen.exe
PID 2252 wrote to memory of 2756	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	nunen.exe
PID 2252 wrote to memory of 2756	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	nunen.exe
PID 2252 wrote to memory of 2756	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	nunen.exe
PID 2252 wrote to memory of 2720	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	cmd.exe
PID 2252 wrote to memory of 2720	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	cmd.exe
PID 2252 wrote to memory of 2720	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	cmd.exe
PID 2252 wrote to memory of 2720	2252	38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe	cmd.exe
PID 2756 wrote to memory of 2956	2756	nunen.exe	ujpic.exe
PID 2756 wrote to memory of 2956	2756	nunen.exe	ujpic.exe
PID 2756 wrote to memory of 2956	2756	nunen.exe	ujpic.exe
PID 2756 wrote to memory of 2956	2756	nunen.exe	ujpic.exe

C:\Users\Admin\AppData\Local\Temp\38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe
"C:\Users\Admin\AppData\Local\Temp\38cb48c9365cd9927d1f870c6b48a3d6b1b7ff5d7546fbda4b20a25190b0f6a5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\nunen.exe
  "C:\Users\Admin\AppData\Local\Temp\nunen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\ujpic.exe
    "C:\Users\Admin\AppData\Local\Temp\ujpic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6eb6f63297da1390f2dfbe3b22f4934c

SHA1
f0285d30f4ed8df9210dd424017ebf1273be21ce

SHA256
0ce1e7e46f8cced4a61efa4ecc48cd46c1c76e85593b8de89fc18529f3485fe8

SHA512
6785358d8a9f9793036256b66dccc0532da0bb86d7c68b568bdada1d73fbc14473e3831c57000b1fdb8fc45d4efd9a9587d0c641a82e3e30b7cf3749e23e9d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c32cc7c02eebed7a6335f652221dd85a

SHA1
c9b07ce42868b66473ebcbe81f1fb2688909bec4

SHA256
f19a59c7a5f3cf2a2ed98feb63d39d8f8c72369c03ed350097c5437587d29a3e

SHA512
59b6362c0956723d7012d5200d912ec5fb8924ab797d4f560694b70689ec088bfb42d7a2cc66e6eda005d2dc7def20e295c31649c68c19de86a672a413ebb99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nunen.exe

Filesize
331KB

MD5
d5c2b396bc548f063631ad9a8a3fb956

SHA1
eb9a4cefeececbf5157a6f3105fc6565eb2f9661

SHA256
8c83ea3fe23435a0c3d09151069071796c0035a66e7ab69ec4d38aae2ce15a65

SHA512
a662c7a81793aa7a4d3e174b35db0917de385ccb6aa62625d3f584e3db02b823850b38c29d629ea015a52e806115d797da35501b95b17f6ab13077de330a47f8

Download Submit
\Users\Admin\AppData\Local\Temp\ujpic.exe

Filesize
172KB

MD5
ad4e2d8be58b7134776e8e189e2665f5

SHA1
cd0e97807d49a9e9b0b5893009b8ec8d2cd7862d

SHA256
9f1bd6837ba3df8041886a099feddf83ff82ee597ea3344334197ac538637e80

SHA512
c8c69556ab762a18888ba8386145b99c0625756c8ec33836398ccb7c1a0427a55fd55753143b8f4bd500f04085b3d8f255f5ec0e94c74c23d34d746913b420ff

Download Submit
memory/2252-16-0x0000000002460000-0x00000000024E1000-memory.dmp

Filesize
516KB

Download
memory/2252-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2252-20-0x0000000000CA0000-0x0000000000D21000-memory.dmp

Filesize
516KB

Download
memory/2252-0-0x0000000000CA0000-0x0000000000D21000-memory.dmp

Filesize
516KB

Download
memory/2756-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2756-18-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/2756-24-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/2756-41-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/2756-38-0x0000000003270000-0x0000000003309000-memory.dmp

Filesize
612KB

Download
memory/2956-42-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/2956-43-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/2956-47-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/2956-48-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads