urelas | 3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b

General

Target

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Size

332KB
MD5

0c532605bd6041f0da53a6a9ade4ccc1
SHA1

b94d3dd6f45d0553004adc2672ce539f4ea8d613
SHA256

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b
SHA512

2019433e7f79bac22372cf967745ee5113a19507a523f48cc896e6ca4a769702f448770e11bef8656a9485038bf41eb72c25b203d1897ebc6a128fa0c72f6d87
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY+:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2868 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

nilaq.exegiazf.exe

pid process

2936 nilaq.exe
1900 giazf.exe
Loads dropped DLL 2 IoCs

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exenilaq.exe

pid process

2772 3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
2936 nilaq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2868	cmd.exe

pid	process
2936	nilaq.exe
1900	giazf.exe

pid	process
2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
2936	nilaq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exenilaq.execmd.exegiazf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nilaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giazf.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

giazf.exe

pid	process
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe
1900	giazf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exenilaq.exe

description	pid	process	target process
PID 2772 wrote to memory of 2936	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nilaq.exe
PID 2772 wrote to memory of 2936	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nilaq.exe
PID 2772 wrote to memory of 2936	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nilaq.exe
PID 2772 wrote to memory of 2936	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nilaq.exe
PID 2772 wrote to memory of 2868	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 2772 wrote to memory of 2868	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 2772 wrote to memory of 2868	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 2772 wrote to memory of 2868	2772	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 2936 wrote to memory of 1900	2936	nilaq.exe	giazf.exe
PID 2936 wrote to memory of 1900	2936	nilaq.exe	giazf.exe
PID 2936 wrote to memory of 1900	2936	nilaq.exe	giazf.exe
PID 2936 wrote to memory of 1900	2936	nilaq.exe	giazf.exe

C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
"C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\nilaq.exe
  "C:\Users\Admin\AppData\Local\Temp\nilaq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\giazf.exe
    "C:\Users\Admin\AppData\Local\Temp\giazf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8ce8b29932ebadf525fb715e36148a52

SHA1
6ebcdfc2916987af7c6adabbbe3731614a745f6a

SHA256
4daef5587fdbc87677e9b08a1bc616a354407aa3137606ef19dfd5ca52a28093

SHA512
11dd37baa32ae031ebafb3fa5b694f330b6c614cdfd85b0521bc967a8f37296c761858b33e37b86d5c6c38c7cd9a10c65d6e67fa62bb308e71be352ec7c9b80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e7e42ac66e0b868a1e241bd7ff1b2acb

SHA1
97835b4498c9514fa7e24f8af02801b4e8298012

SHA256
8cc70c94007963076c722b387503120ab0d8757454e8f916d18087dd39b6ac52

SHA512
3e8846e57bb609f26099107f3143db1bc4f638ecb34fe4a7402b17e26dd69b6bdd87680f2a97496260c5f5ab02a7a475cf585ea853d6889825994903ab2a9476

Download Submit
\Users\Admin\AppData\Local\Temp\giazf.exe

Filesize
172KB

MD5
097076272d3bd2175fb81aac5e47fc8c

SHA1
156554f3ca28cb1c0bd02080a13df472b34931a4

SHA256
77011a968f5c7ee5c47f07e31499cba7e3a452c04dd63705ca07bdd01e18b4c6

SHA512
2a4e7d94e322854752faa05ebe783d8a739c066227384d086e28f1cb67eb0e2d62c629d86c9107ceaa16d97922207d97c10f3a996064366f545648d3b593370d

Download Submit
\Users\Admin\AppData\Local\Temp\nilaq.exe

Filesize
332KB

MD5
3e8ac6111eabb9c0cbb732ce4c3d32de

SHA1
c6047eac1efed8253b5322faf501170b65b834a6

SHA256
6c05262ee443ecf3f82027e1d016581c70d1cdf78921ac593cace8cbb753c054

SHA512
40663edbcf8c9e692f9baae518f9e252c7868e66d2448a61028f863e17a89eb8f56e7f2182aa8b80408379a921e593d3707929feb6baccd33cb7ddc18e2b1bc8

Download Submit
memory/1900-42-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/1900-51-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/1900-50-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/1900-49-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/1900-48-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/1900-47-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/1900-43-0x00000000008F0000-0x0000000000989000-memory.dmp

Filesize
612KB

Download
memory/2772-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2772-20-0x0000000000370000-0x00000000003F1000-memory.dmp

Filesize
516KB

Download
memory/2772-7-0x0000000001F20000-0x0000000001FA1000-memory.dmp

Filesize
516KB

Download
memory/2772-0-0x0000000000370000-0x00000000003F1000-memory.dmp

Filesize
516KB

Download
memory/2936-23-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2936-41-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2936-37-0x00000000033B0000-0x0000000003449000-memory.dmp

Filesize
612KB

Download
memory/2936-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2936-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2936-11-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads