urelas | 8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16

General

Target

8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe
Size

334KB
MD5

0a08b52fa7d91e9475ef6f51e3485897
SHA1

5ee172a5004107e4c9e799512916c2cede15946c
SHA256

8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16
SHA512

2a75e92ee8e3f559e6a2c727746dc80a5227f4043d6881cc42151b39c34cb1090229c4ae0286a8ce7350e54c681f94589f5a6a8faea6afa88773d1d725eb6a01
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw+:vHW138/iXWlK885rKlGSekcj66ciV+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1752	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1128	kevyh.exe
1868	ucpud.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe
1128	kevyh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kevyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucpud.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe
1868	ucpud.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1128	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	30
PID 2248 wrote to memory of 1128	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	30
PID 2248 wrote to memory of 1128	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	30
PID 2248 wrote to memory of 1128	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	30
PID 2248 wrote to memory of 1752	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	31
PID 2248 wrote to memory of 1752	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	31
PID 2248 wrote to memory of 1752	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	31
PID 2248 wrote to memory of 1752	2248	8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe	31
PID 1128 wrote to memory of 1868	1128	kevyh.exe	34
PID 1128 wrote to memory of 1868	1128	kevyh.exe	34
PID 1128 wrote to memory of 1868	1128	kevyh.exe	34
PID 1128 wrote to memory of 1868	1128	kevyh.exe	34

C:\Users\Admin\AppData\Local\Temp\8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe
"C:\Users\Admin\AppData\Local\Temp\8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\kevyh.exe
  "C:\Users\Admin\AppData\Local\Temp\kevyh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\ucpud.exe
    "C:\Users\Admin\AppData\Local\Temp\ucpud.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6f7b7a8f89495df2f21696848c2956f4

SHA1
53ce0ee385cf843e8b0f8749cdaaeb1e8212f13d

SHA256
4f60af66e78d9e66006a323ea6947ea15c1d6e9b6161c5c4528eadd6e0164603

SHA512
64cde6f881bf6a0a726be814a678eb08f1e84548b77356fb4fcc8a53fafa74754275e8e630342f9c5b0abaa7fd7d8bb37c05353d59c33b8e83d8909280f48e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
296c82ea872cea9b9a4ffd8100d37cb7

SHA1
c43675453831cf35f7832cb8d8abaa4d64cff896

SHA256
d9ddb116d12c3d465ed6c465376916ae8031a500a88783d45f6ed9141a750d91

SHA512
3f1c38d37361c4ca6dde78b8ee67860aa2309aca35568571e7a87e32ddc0484caf1ecd450a2ef05af574c1a96e946aeebbddf3cc6d4ffd2ebf76a049e1de0326

Download Submit
C:\Users\Admin\AppData\Local\Temp\kevyh.exe

Filesize
334KB

MD5
cf6390d430522e893e69dd2f9e2bb9f0

SHA1
f80565a64786117290ff01135801d7d2cbabd2b6

SHA256
ae7f6e113c2cd6b1f8c1ce12fefce6cd1bfaef1ea70dd9c6ca085a4cd0a024e6

SHA512
5330c2f5bc5456cd9b8670d1e9d654d6863f03fdd5726be9eb2e90de9efbf36ac01f12ccf7494493756e36454cc774108546f303373ebea311db4ee43bc07fe6

Download Submit
\Users\Admin\AppData\Local\Temp\ucpud.exe

Filesize
172KB

MD5
63c81f683f97388daff09cf29c6ab118

SHA1
3a7fdda81a743ba9d27382700224e79f3c22b451

SHA256
1974cebb6ca32ca21b8a38827ffedeab0236fd86be2dddf9800147a79a6fb838

SHA512
c55be266c55b9a9c2975a80943e05359a7627a7b79101a74e411621d81b7d70a262f8fe569d03b3ce7137a6ca74244dce111d28d5a36e92febed6d6ae81bcea9

Download Submit
memory/1128-38-0x0000000003C50000-0x0000000003CE9000-memory.dmp

Filesize
612KB

Download
memory/1128-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1128-18-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/1128-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1128-24-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/1128-42-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/1868-43-0x0000000000940000-0x00000000009D9000-memory.dmp

Filesize
612KB

Download
memory/1868-47-0x0000000000940000-0x00000000009D9000-memory.dmp

Filesize
612KB

Download
memory/1868-48-0x0000000000940000-0x00000000009D9000-memory.dmp

Filesize
612KB

Download
memory/2248-16-0x0000000002A10000-0x0000000002A91000-memory.dmp

Filesize
516KB

Download
memory/2248-21-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2248-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2248-0-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing