urelas | 177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9

General

Target

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Size

553KB
MD5

d6c7c30a81e11dc1c86a310a1ae80961
SHA1

7c363777198b30a0f8e90df768f51396eb3d78a1
SHA256

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9
SHA512

d85a4cef7b216f99e0da92b8b147659ec18e3e5ae17dcb4014aca1d599464e44bc0ca7d78bc2ac3f7f345e2270416f7a35693aa325df50690275924b2f7b2caf
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlee:+rt4/NArwjs5olB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
288	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

noezv.exetycog.exe

pid	Process
2172	noezv.exe
1268	tycog.exe

Loads dropped DLL 2 IoCs

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exenoezv.exe

pid	Process
2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
2172	noezv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

noezv.execmd.exe177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noezv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exenoezv.exe

description	pid	Process	procid_target
PID 2232 wrote to memory of 2172	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	31
PID 2232 wrote to memory of 2172	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	31
PID 2232 wrote to memory of 2172	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	31
PID 2232 wrote to memory of 2172	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	31
PID 2232 wrote to memory of 288	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	32
PID 2232 wrote to memory of 288	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	32
PID 2232 wrote to memory of 288	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	32
PID 2232 wrote to memory of 288	2232	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	32
PID 2172 wrote to memory of 1268	2172	noezv.exe	34
PID 2172 wrote to memory of 1268	2172	noezv.exe	34
PID 2172 wrote to memory of 1268	2172	noezv.exe	34
PID 2172 wrote to memory of 1268	2172	noezv.exe	34

C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
"C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\noezv.exe
  "C:\Users\Admin\AppData\Local\Temp\noezv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\tycog.exe
    "C:\Users\Admin\AppData\Local\Temp\tycog.exe"
    3⤵
    - Executes dropped EXE
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0f8b90ae5876106b0173d2f6bb3c96c3

SHA1
44ae65b3871372c78bc3a6ac75e146a2e010026b

SHA256
e342bf119c88732bbedd6943e31f01255614c34f20079e5958da30a96e802910

SHA512
ebcc4af2c96e6c919594316d1317e3b2cd471774f030bd645ada4d8a3c6010a36b582df29c4e8b83a39ffd779373ac8411931c77931052ddcfa9e0b5f5bdebf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0e90c1ff896dfd041677305a0444b2c4

SHA1
7f64a3a9e77c9eee9065563b644a5ff9f6ac8069

SHA256
61e3b5db2973e58820ee3a988ebd7117b10d1b959da4faa7bcf91a33d385c28e

SHA512
6b674376ffd46eac79ea46381c29bd4620e66128650b9811e3bbb5f2f47fcacb2e27d3da41ec86c620d8a87cafd95f3c8b4b6f49f638aa6cee259c33f29dd3d6

Download Submit
\Users\Admin\AppData\Local\Temp\noezv.exe

Filesize
553KB

MD5
ceab63af14fc98f20d72f11f876ab342

SHA1
bbc38b6edfabdc891d38d4c8ba5843deb99e9517

SHA256
3f336f18886fd0dd2f163394a0e832135a38cfc1709c1b162ad4075a43a41ca8

SHA512
402b25bda38079fc76d457aecc15cc440512c0dc2c611587d7584bdc43b4889190aa7c8043fe865936e0d509ec576b5b52c7067784953674a680c90c37f08b96

Download Submit
\Users\Admin\AppData\Local\Temp\tycog.exe

Filesize
231KB

MD5
27a1638612c472306e23b9b5b39a78d4

SHA1
172845168fd645fb3df86777b2912f171b285b12

SHA256
961fd505f24ca8dbc13742163ae098c3d2db488a10c61c48b52f1bfc73cc34d6

SHA512
16da2987a6e1ae8b94824ce6b0cddef6e3fe57c4b17133713ec0886a8b2d1b4a422ea975ec7e86aa5a2b86a6355f4f754fa97f4886745ec5cf84a4c2ee8ea6ea

Download Submit
memory/1268-29-0x0000000000C20000-0x0000000000CD3000-memory.dmp

Filesize
716KB

Download
memory/2172-17-0x0000000000070000-0x00000000000FF000-memory.dmp

Filesize
572KB

Download
memory/2172-21-0x0000000000070000-0x00000000000FF000-memory.dmp

Filesize
572KB

Download
memory/2172-27-0x0000000003CF0000-0x0000000003DA3000-memory.dmp

Filesize
716KB

Download
memory/2172-30-0x0000000000070000-0x00000000000FF000-memory.dmp

Filesize
572KB

Download
memory/2232-0-0x00000000012E0000-0x000000000136F000-memory.dmp

Filesize
572KB

Download
memory/2232-15-0x00000000010C0000-0x000000000114F000-memory.dmp

Filesize
572KB

Download
memory/2232-18-0x00000000012E0000-0x000000000136F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads