urelas | 22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429

General

Target

22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe
Size

621KB
MD5

f61a413e1e72f6b12bafe0daf6a43065
SHA1

749c7a8634e4e761c6a25beb5e9d1708e115adc4
SHA256

22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429
SHA512

41ea3f80938116195484ca47c98d1682541a9e1b9e9461163f5533c5f0f1ac39c913f24e7cdefb24197a90c084f3b539bf48c1a1eb92a5d86eb1db2ef0fa6934
SSDEEP

6144:imbmLppYOuakYGWV5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXWyKV:ima6idv8zzkGHVqoq/gKWd

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2420	nunyv.exe
1808	pyilx.exe

Loads dropped DLL 3 IoCs

pid	Process
2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe
2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe
2420	nunyv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nunyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyilx.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe
1808	pyilx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2420	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	28
PID 2052 wrote to memory of 2420	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	28
PID 2052 wrote to memory of 2420	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	28
PID 2052 wrote to memory of 2420	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	28
PID 2052 wrote to memory of 2968	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	29
PID 2052 wrote to memory of 2968	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	29
PID 2052 wrote to memory of 2968	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	29
PID 2052 wrote to memory of 2968	2052	22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe	29
PID 2420 wrote to memory of 1808	2420	nunyv.exe	33
PID 2420 wrote to memory of 1808	2420	nunyv.exe	33
PID 2420 wrote to memory of 1808	2420	nunyv.exe	33
PID 2420 wrote to memory of 1808	2420	nunyv.exe	33

C:\Users\Admin\AppData\Local\Temp\22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe
"C:\Users\Admin\AppData\Local\Temp\22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\nunyv.exe
  "C:\Users\Admin\AppData\Local\Temp\nunyv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\pyilx.exe
    "C:\Users\Admin\AppData\Local\Temp\pyilx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8662a4449569921841277a35ecde317c

SHA1
ea04f931bfc5ab82a8c86b9d1115d76864ee12eb

SHA256
e305d985eecbd3c8ab73df8f335a32ef2c062af04264e5696df308846fe5e78d

SHA512
ccb56f421bc6231835e0a95a18b2fd18f5d78250d44a35312e85d379a7dafc61d47622a414f3e1f716890a77a777bc04eab36a4f445312db1ba190b0f08eabe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d5c1757b5a79eb94f81551ed58db98f2

SHA1
0e2d7e517d54506ca3b5ed2c664aba7cdcb14356

SHA256
f07d874d3f0d3007a782e14a3654e936416d9d529c85c27b92faeb63b01b2dc7

SHA512
97fccf96c43a41dc8f4947883940af25e2a8aaf98c974ef78e0cda821c12dcef6aae3795ae571b92ccb94659df16676ee2946869278e428b4ec8bc784fd0f021

Download Submit
C:\Users\Admin\AppData\Local\Temp\nunyv.exe

Filesize
621KB

MD5
2d42a17c21b45b0fb35e3dc229ea18ea

SHA1
6d9791289960ca9aaaec15ad210514d76ee6daf4

SHA256
3177d4163a98fb0433ee2c59af83e5e1a50475b973a804c41199d4951a429a61

SHA512
f2728b45d627c62bec8978e14549ebe7e7db6ec73a38a3587c43755f17b215bcef6cb95386793e027a451acd902728be8d5438bc0ef3688757284c59e4613c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyilx.exe

Filesize
203KB

MD5
94487f2b3078dfc75fb8ad340739897a

SHA1
0ddbc6616ee01215218815e735274731dee7f6e1

SHA256
21ca299d727e47923977860cdcbbc7dd4dae73db67ab32966d33b18b3dd7df0b

SHA512
1c14c14f988d5c40e1999412b783a91bd736f328477f7aa8d91098a4ee86b29a17cb7d4d2b80a5f4ebbe03b1b7ac522e6dd5824dd3d8b1b97b235748d8cc5d86

Download Submit
memory/1808-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1808-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1808-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1808-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2052-11-0x0000000002910000-0x00000000029AB000-memory.dmp

Filesize
620KB

Download
memory/2052-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2052-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2420-14-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2420-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2420-31-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing