urelas | 3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124

General

Target

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
Size

537KB
MD5

b20e55b1dcce2bfa5356a84bcd9da7d9
SHA1

79e4dffeb55d8c3818ad3b8ce3c1048f9baf92ee
SHA256

3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124
SHA512

dc7ac12b0c4df4d4d0d31875fce8c4e2fec5ede05cf8ffa26a2bae6e8983ccde39550535c8d9f06b0130994de5ebe96fc66a0a5d71075c2318aab92e3eb29480
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPg:q0P/k4lb2wKatg

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
264	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1076	gocih.exe
2156	toneu.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
1076	gocih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gocih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toneu.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe
2156	toneu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1076	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	30
PID 2528 wrote to memory of 1076	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	30
PID 2528 wrote to memory of 1076	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	30
PID 2528 wrote to memory of 1076	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	30
PID 2528 wrote to memory of 264	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	31
PID 2528 wrote to memory of 264	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	31
PID 2528 wrote to memory of 264	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	31
PID 2528 wrote to memory of 264	2528	3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe	31
PID 1076 wrote to memory of 2156	1076	gocih.exe	34
PID 1076 wrote to memory of 2156	1076	gocih.exe	34
PID 1076 wrote to memory of 2156	1076	gocih.exe	34
PID 1076 wrote to memory of 2156	1076	gocih.exe	34

C:\Users\Admin\AppData\Local\Temp\3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe
"C:\Users\Admin\AppData\Local\Temp\3c1195d085a9ac66a0f1ddaa1e832855c5a45f5db35ea1953d6bd3b48dc46124.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\gocih.exe
  "C:\Users\Admin\AppData\Local\Temp\gocih.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\toneu.exe
    "C:\Users\Admin\AppData\Local\Temp\toneu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
50246892b31984ab4015a5076fcaca9a

SHA1
882bda725f7c0a959de66d3ba722344dc5aa2814

SHA256
2c8d08bfb822716eb5c40d51356621af10b57d043c97a87a93b06f27ef047651

SHA512
1697fcc1bd015d7bdbbde0230248ecd465f16acf8ea7143465f6ea326b558e1797a7e28132f374f58b360757fca57659e7f4481c926b199f712c6579442533a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gocih.exe

Filesize
537KB

MD5
6a441acba2b38ae3d6983b4335efd7f8

SHA1
c1f02feb4bff09c8b9865940984356a95a984a77

SHA256
fb45290955d6ec0a749e88aab2fde6cd60980ba7f7bed3f65d60a3e4fdac4465

SHA512
07a5e3b8df85644d4d242dbac5cd3fd7ddd7e219ada29f440d5c11a0964638a8f9a81cab13fd6a054006ed387d9231783042723d13cf4cca1191d2c9ab023ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b5e0fc63346162e12a63337a36ae098b

SHA1
bc39ea2f4ab8d1d98a671dfdbd3a68b7a29a1f38

SHA256
21e5ee08ed2d73be599f12fab8493b5cf25838ddcf522e2109b9183223570843

SHA512
227bcccf954a5df670f9c0daeca27c2e38d42b9b2087f8744d3c4eb9ad681344343eec38c25adac2be8bca637dcb1275b0d31c2758a138b172b1c8551f885ea0

Download Submit
\Users\Admin\AppData\Local\Temp\toneu.exe

Filesize
236KB

MD5
21d235b16af39ee147fa830f61949717

SHA1
0c197b462e92ddd457c91ab7009631f75dd03450

SHA256
d32adf36eae76eb0740b6749a081d0d11a1083234ffe2193cf3cbabf0279ac40

SHA512
ea1b00fe380172a9d66775076e34c24d0d133a3aeb765e0cb56fab0fc11cbfa68de7819dcb08210f73a544d532e78c375a2dc0fe9a25847e85a1a915a255b4a1

Download Submit
memory/1076-11-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1076-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1076-29-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1076-27-0x0000000003A60000-0x0000000003B03000-memory.dmp

Filesize
652KB

Download
memory/2156-30-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/2156-32-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/2156-33-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/2528-10-0x0000000002720000-0x00000000027AC000-memory.dmp

Filesize
560KB

Download
memory/2528-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2528-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing