urelas | 99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a

General

Target

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
Size

620KB
MD5

65d35b2b7a3f133701ff00a1e76afb42
SHA1

ec13f2169dcdfbb314a5310ae662b3581e725ad9
SHA256

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a
SHA512

3de79931df7ce7837ee94333eba2ac58dac762c8dc5b9a04260a829178580c7213a57017a6a1d8fcb2f338db4337d1d6a6ee13bbedaf8d0111a48008ec34cadc
SSDEEP

6144:imbmLppYOuakYGWV5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXWyKvt:ima6idv8zzkGHVqoq/gKW9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2832	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

pyofi.exesuofj.exe

pid	Process
2756	pyofi.exe
2324	suofj.exe

Loads dropped DLL 3 IoCs

Processes:

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exepyofi.exe

pid	Process
2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
2756	pyofi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exepyofi.execmd.exesuofj.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suofj.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

suofj.exe

pid	Process
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe
2324	suofj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exepyofi.exe

description	pid	Process	procid_target
PID 2652 wrote to memory of 2756	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	30
PID 2652 wrote to memory of 2756	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	30
PID 2652 wrote to memory of 2756	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	30
PID 2652 wrote to memory of 2756	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	30
PID 2652 wrote to memory of 2832	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	31
PID 2652 wrote to memory of 2832	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	31
PID 2652 wrote to memory of 2832	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	31
PID 2652 wrote to memory of 2832	2652	99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe	31
PID 2756 wrote to memory of 2324	2756	pyofi.exe	33
PID 2756 wrote to memory of 2324	2756	pyofi.exe	33
PID 2756 wrote to memory of 2324	2756	pyofi.exe	33
PID 2756 wrote to memory of 2324	2756	pyofi.exe	33

C:\Users\Admin\AppData\Local\Temp\99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe
"C:\Users\Admin\AppData\Local\Temp\99707ea09d06eb7f68d3d95581157bdf76b97e890f9f514932ed1622c1df760a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\pyofi.exe
  "C:\Users\Admin\AppData\Local\Temp\pyofi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\suofj.exe
    "C:\Users\Admin\AppData\Local\Temp\suofj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
856bbb6c21940c7bf810249bb185b531

SHA1
8fa05569b483d0840d96d9cb299c1ba567943bd4

SHA256
dece50b9d42a904b715f2a4a76cc93cd97ec16070be9ce1777c220bc391e38f1

SHA512
64ebd86b032913eea99c4e9ad98c4a835a4d3ef5724904cb742eb070b34e669b741ab26a377433aaaa5989236c2c0ab3e48682655b778c9ab5b3036d3275bf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5fe4e643ba88f7aa8aeaccd5a7b4b8cf

SHA1
eab95410ed8a43a3e91c8026cbb3e7b2d0285ee1

SHA256
890c1a5514f7c83c41702649f70be3048138f8bcf7d5444f380d3cfaf1137c45

SHA512
dc1cd278b4c6b3e8a52720e91f9f1ad26b56b1103061f730785469589fa364b7ed5e18a395a43373a39f9f6e42333b48cdc7cb40875b7d1335f03c4a52a4881c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suofj.exe

Filesize
203KB

MD5
538b65d30addea50dcc478536732fe2f

SHA1
e1c783be536d64acf3fbd3d2f0a56eb36767cd85

SHA256
35067128b875bb12f1ea78ab8be393bb782f3ad961f1da6847b27bfdb05ec560

SHA512
4532e302bb3ad2a7f1ef78f4f3ada9717826e548fb947690fcdd01be7955c6acc8ec590e50a6e8e7f3ed675bc8631993aa8265755d1a4c86196f3fe175a245dc

Download Submit
\Users\Admin\AppData\Local\Temp\pyofi.exe

Filesize
620KB

MD5
cfa10e945703259faa48717e8172aa2c

SHA1
a16b014fc92c7c0bd39d37e094ee06b2891a9703

SHA256
31907a92ba5fac8f0d71d00cb0e301c1ec6a8844b180984db2f82182cd867a8b

SHA512
49473fa72fc692c5252056c6c74d1a2f14ec08353134590ed98d887e7bd53d1265614712dc0676c276adfb941baf8191edd4de36e1f9fa32cc59c5ba97314077

Download Submit
memory/2324-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2324-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2324-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2324-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2652-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2652-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2652-12-0x0000000002B80000-0x0000000002C1B000-memory.dmp

Filesize
620KB

Download
memory/2756-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2756-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2756-31-0x0000000003DF0000-0x0000000003E8F000-memory.dmp

Filesize
636KB

Download
memory/2756-30-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads