urelas | 9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb

General

Target

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Size

331KB
MD5

7eee5a9c09ab106a678b4e266607e694
SHA1

7a4f8588d6089f4b8e25582bc11dfa9e1302df84
SHA256

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb
SHA512

4ecb3d5966d401af3b4969563e8ccf3157c63b56a48b829d70eded05e7f1aee8a13241393363f6f62a73daa868a2e864dce2ca95b85190ba19ca59de1c9e5f9f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVRJ:vHW138/iXWlK885rKlGSekcj66ciERJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	iftia.exe
2976	kiwus.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
2208	iftia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iftia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiwus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe
2976	kiwus.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2208	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2432 wrote to memory of 2208	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2432 wrote to memory of 2208	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2432 wrote to memory of 2208	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	30
PID 2432 wrote to memory of 2340	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2432 wrote to memory of 2340	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2432 wrote to memory of 2340	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2432 wrote to memory of 2340	2432	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	31
PID 2208 wrote to memory of 2976	2208	iftia.exe	34
PID 2208 wrote to memory of 2976	2208	iftia.exe	34
PID 2208 wrote to memory of 2976	2208	iftia.exe	34
PID 2208 wrote to memory of 2976	2208	iftia.exe	34

C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
"C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\iftia.exe
  "C:\Users\Admin\AppData\Local\Temp\iftia.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\kiwus.exe
    "C:\Users\Admin\AppData\Local\Temp\kiwus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6357433b9e289fbeedec0c4e4ea64826

SHA1
b1e70d0a33000976fee37bd86ec4b4941fe0e670

SHA256
26310e4f8e01c3574aee93d0394314e49692bb70bfc4562d80d09b66adb46428

SHA512
af021ae4d737d676154f27f5478f91afe8e29993abb71f4b82d2c04a62e4388323c5ed3bd6737f696f691828c587be114cda834375db1475e79e10a0e55b0ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4072ee55660b9a73d468cb98b6a6fe44

SHA1
24503ca4b5ecbac697f7844ca6381201c6f6c4d0

SHA256
12212e6738f6a7cc342bd28315a976dacf63816132b00f18fe0b7da6e7bf0007

SHA512
93fe5bd21c2cc129ffa6aa7588857fe8a4108bef9344968b7e1ed73779d97eab6f6ba47730f6db8638527b18af1b66d3af9989fd65b160a3299a1196d182ebd7

Download Submit
\Users\Admin\AppData\Local\Temp\iftia.exe

Filesize
331KB

MD5
4e0c5c475faabd458cd71c0ffc94620e

SHA1
707d5dae2856b9d302732601241c6b2da583a45e

SHA256
5ee1b3b6af5f22e2761f973a5f6575f9129d89a69d56d95d389bdb69b9c5351a

SHA512
b3fe5a9e56bc4503a8126a406602ea9660d9be934cf8b317785576319c2d274124b5b68b32ed34f8be172774e333618f89c79d8d4d254c865024ada2c91c118d

Download Submit
\Users\Admin\AppData\Local\Temp\kiwus.exe

Filesize
172KB

MD5
aeeb3eaedde6f26004d5cbab0cc82785

SHA1
9b1401f11224791a731c9e2a8ef3e7306230a4e9

SHA256
63f22389383b3065469710c55e06b93c73bf8cb89a9ec7a9bde1461b082f5f5a

SHA512
44f8d98b0bdecfe6f23258e3123755ba8cba3bd2d5d374bae706a6cbdfd111fe7e162620156d82c03ae30831d62e8333f1ac709d419810cd7bdbbd5289a95685

Download Submit
memory/2208-12-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2208-25-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2208-42-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2208-38-0x0000000003C70000-0x0000000003D09000-memory.dmp

Filesize
612KB

Download
memory/2208-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2208-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2432-0-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/2432-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2432-21-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/2432-9-0x00000000021A0000-0x0000000002221000-memory.dmp

Filesize
516KB

Download
memory/2976-43-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/2976-44-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/2976-48-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/2976-49-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing