urelas | 3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731

General

Target

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Size

537KB
MD5

d8d3f06c0e9aea69858a74a5fec62a7a
SHA1

7a041b1f9fcd3d3fdd32b16c13d3780022c76be6
SHA256

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731
SHA512

58a0794cb708db9dcd08326efdbf09175f906b03229f0bdd3411059d0d0fd057a2a2a0a4e500375fa0a8d21302fcf96726be4565b92af9e5d240a64f6d1ec3e7
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1376	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ezmeh.exejoroz.exe

pid	Process
2196	ezmeh.exe
1216	joroz.exe

Loads dropped DLL 2 IoCs

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeezmeh.exe

pid	Process
2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
2196	ezmeh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exejoroz.exe3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeezmeh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joroz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezmeh.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

joroz.exe

pid	Process
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe
1216	joroz.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exeezmeh.exe

description	pid	Process	procid_target
PID 2696 wrote to memory of 2196	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	30
PID 2696 wrote to memory of 2196	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	30
PID 2696 wrote to memory of 2196	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	30
PID 2696 wrote to memory of 2196	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	30
PID 2696 wrote to memory of 1376	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 2696 wrote to memory of 1376	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 2696 wrote to memory of 1376	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 2696 wrote to memory of 1376	2696	3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe	31
PID 2196 wrote to memory of 1216	2196	ezmeh.exe	34
PID 2196 wrote to memory of 1216	2196	ezmeh.exe	34
PID 2196 wrote to memory of 1216	2196	ezmeh.exe	34
PID 2196 wrote to memory of 1216	2196	ezmeh.exe	34

C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe
"C:\Users\Admin\AppData\Local\Temp\3fbb4d3a1baf840f850de1ac1cd1df091f4d0aa90e5dadb76c5fd8a53c401731.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\ezmeh.exe
  "C:\Users\Admin\AppData\Local\Temp\ezmeh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\joroz.exe
    "C:\Users\Admin\AppData\Local\Temp\joroz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3647d5e7ac42a51cbda230969692b578

SHA1
69008a4017886dc9dc03e35e270c0b0a6f0d16c3

SHA256
65d2e40876acecbf4845a8918792e6b3c3ec4902bbac03e4a8b491d5e019eb9e

SHA512
4067b6a4667bf14d2f2f097a334d8c8ce25643df177d835c5b9fea64c020a225319a4402e51e5a6607665eddcbe45538bc8f558b3683d3c7675beb8b6059794f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
24572baf2360e663db7ba8a23c3f04c4

SHA1
f9a6296bfa6df15aa4257887cf08ad2a50ae6d07

SHA256
a842f9818d25257e7420b00e702aa30d3695f7b7ad4ff5ccc02e91a61565ab59

SHA512
91cf8b0a75a4dd89e61451cd0359205de4cfc6a0536dfff7cf8e925f1f737c16222924e8c5e46e376899bc66312413fdc14f68b66fbd67e3c3e3e7b68482e036

Download Submit
\Users\Admin\AppData\Local\Temp\ezmeh.exe

Filesize
537KB

MD5
07905ff3b9147b703c55c24669b14eea

SHA1
b36b8f9a0897ffc17a7b2c9e19073d5a3260edc1

SHA256
74bac01b9b18b75e67583b73f3174f7e5748346355d890f35fe1fa791d7b40c7

SHA512
b759413b40017abcec4582b827328e6ee6c03db65a1cc4b10fb17bcffaee7878480fd857f15016384c54dc53098268ec2e50b5f3f9779de844fdce81e2a408df

Download Submit
\Users\Admin\AppData\Local\Temp\joroz.exe

Filesize
236KB

MD5
58d1b7c97a056f58d0ba85b1981ccecc

SHA1
5e9eb69877247586cdb0660fb30544a6616c9d1d

SHA256
625f7303b12a210baecee4d059740e377b57c41de84785d0645abab2cd398a38

SHA512
39978fcf5c6861b9f5dd18d94f8d92ac92f576da20a710f9ae10d252a9e4586cd3c4cefe930207f404652565933a82e152b968758b60bd7dcd18e16ad29499a6

Download Submit
memory/1216-33-0x0000000000CE0000-0x0000000000D83000-memory.dmp

Filesize
652KB

Download
memory/1216-32-0x0000000000CE0000-0x0000000000D83000-memory.dmp

Filesize
652KB

Download
memory/1216-30-0x0000000000CE0000-0x0000000000D83000-memory.dmp

Filesize
652KB

Download
memory/2196-25-0x0000000003280000-0x0000000003323000-memory.dmp

Filesize
652KB

Download
memory/2196-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2196-29-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2196-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2696-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2696-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2696-15-0x0000000002750000-0x00000000027DC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads