urelas | 52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924

General

Target

52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe
Size

332KB
MD5

277aade9d81f39ce3777ed79d5ab10c5
SHA1

fda2240f20e5330f62fce7998aab8d6410375a10
SHA256

52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924
SHA512

33053db3052de5a88c24bec07445f6152964f02b7aec97f9515717e64ea8e1f444bac71ef71a5bc00d77ca29b951f855a0b73c1e71007f4ef8e4e141dfe01694
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVB:vHW138/iXWlK885rKlGSekcj66ciEVB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1652	roybn.exe
1104	domuv.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe
1652	roybn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roybn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	domuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe
1104	domuv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1652	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	28
PID 2404 wrote to memory of 1652	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	28
PID 2404 wrote to memory of 1652	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	28
PID 2404 wrote to memory of 1652	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	28
PID 2404 wrote to memory of 3052	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	29
PID 2404 wrote to memory of 3052	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	29
PID 2404 wrote to memory of 3052	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	29
PID 2404 wrote to memory of 3052	2404	52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe	29
PID 1652 wrote to memory of 1104	1652	roybn.exe	33
PID 1652 wrote to memory of 1104	1652	roybn.exe	33
PID 1652 wrote to memory of 1104	1652	roybn.exe	33
PID 1652 wrote to memory of 1104	1652	roybn.exe	33

C:\Users\Admin\AppData\Local\Temp\52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe
"C:\Users\Admin\AppData\Local\Temp\52fe8a677c8c2ac2b8978628929e0be6e87f430d16f4e48c75033af005f92924.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\roybn.exe
  "C:\Users\Admin\AppData\Local\Temp\roybn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\domuv.exe
    "C:\Users\Admin\AppData\Local\Temp\domuv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2ab15d5cc5f585cb6ad64ce0d483f6b3

SHA1
5d1c13465ffa45cea4995cff18b5e4c97a1e94d6

SHA256
5927e7573fae77e1aa2880741531bfff9aec813423cf01a7e62101bb328a4aa1

SHA512
4cf361e7c48b644d8cd4849627ad0e154355a036daf7b8ad3abc4e586823f913868e65de37a1a4232b1f7b486ecdb44d11f0b9b804af58d44a4668d025bb4f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d799900454483e73625888a83c10ab0a

SHA1
50af20eb56cca92bc9103659f21c1acf76259858

SHA256
9cb0554db00339571138bfd897c27f00fbfeefc25f793d738fda2bfdcf1a5fed

SHA512
3cf54e381c98e302e003d4efd3099a02decd081ac8ca4db5d60a5b626e0da83acb8b19f9141c79bbfa810486676690aa7fe9dae64313fd9feb440a5c029b54b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\roybn.exe

Filesize
332KB

MD5
59e6882df58176029d88fb7d38b66d1b

SHA1
14631aa630f907288b0569479f07101a7abf9137

SHA256
3167920f68841931e1af450333073bdc1a16eb142a599ce02855e287dc31eb60

SHA512
2297fa986aa3251fb9482490f91501bda38c1725c9d03ae7cb5f61fb0baf789e7dbad1c97f2942d50ba30623673c4124ffb060ef64c493d7b4c09edddf68e2b0

Download Submit
\Users\Admin\AppData\Local\Temp\domuv.exe

Filesize
172KB

MD5
d3b02084e51d2cd10bb4c79162571738

SHA1
a1bf5154889a7cd54c80ca2e5db5c2ee1ec7ff7c

SHA256
93dfeaa1dd9837708f9ba0746426b9d2b68fd59924237ff478d03dfce2e2f16c

SHA512
469ecfde26c2c5997c0c0790deb58af1de3ef38e67523794acbd7cda6e85489e04b48d3f5f6f273f1d3968f16b85bf4174a6fb9f97cac1fa1e127784ce1cce34

Download Submit
memory/1104-48-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1104-47-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1104-42-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1104-43-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1652-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1652-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1652-23-0x0000000000910000-0x0000000000991000-memory.dmp

Filesize
516KB

Download
memory/1652-41-0x0000000003300000-0x0000000003399000-memory.dmp

Filesize
612KB

Download
memory/1652-40-0x0000000000910000-0x0000000000991000-memory.dmp

Filesize
516KB

Download
memory/2404-20-0x0000000000090000-0x0000000000111000-memory.dmp

Filesize
516KB

Download
memory/2404-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2404-7-0x0000000002A60000-0x0000000002AE1000-memory.dmp

Filesize
516KB

Download
memory/2404-0-0x0000000000090000-0x0000000000111000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing