urelas | db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad

General

Target

db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
Size

454KB
MD5

d6860d113a4a3b7003723e279716d096
SHA1

bf76074e27517e5bddbbb391966fcb7071ae3a31
SHA256

db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad
SHA512

12534ba3a0a89b1eb472f3f9796eada1e5f96f78715992ac52720ee8dbe084e1a04220f8bbf64fdfebaf1f2117559abdc79623d8b69214b279106c8acbbc2b47
SSDEEP

12288:AyPHijVSuJqu4kwaeDPvjJ81VGqK6GvPH:AuCTq4waor+Gn/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	ulvyw.exe

Loads dropped DLL 5 IoCs

pid	Process
2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	2864	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulvyw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2864	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	30
PID 2524 wrote to memory of 2864	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	30
PID 2524 wrote to memory of 2864	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	30
PID 2524 wrote to memory of 2864	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	30
PID 2524 wrote to memory of 2984	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	31
PID 2524 wrote to memory of 2984	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	31
PID 2524 wrote to memory of 2984	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	31
PID 2524 wrote to memory of 2984	2524	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	31
PID 2864 wrote to memory of 572	2864	ulvyw.exe	33
PID 2864 wrote to memory of 572	2864	ulvyw.exe	33
PID 2864 wrote to memory of 572	2864	ulvyw.exe	33
PID 2864 wrote to memory of 572	2864	ulvyw.exe	33

C:\Users\Admin\AppData\Local\Temp\db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
"C:\Users\Admin\AppData\Local\Temp\db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\ulvyw.exe
  "C:\Users\Admin\AppData\Local\Temp\ulvyw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 408
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
feebfe82e696ded0be5371b0de50ae5d

SHA1
accd7bd58be76a84f0dcf40e4a73b76447737fc3

SHA256
9b7c23be8f194a1365a53e130a1ea8d009fafc1b2badfc7436339438a6233f26

SHA512
2a6d5ff92856eceace47fa02cb658359cba61517e93c1f1466cfb82d236396f08ca3d11e224bcb0405c6ae625cdb82a81eb0772254dc2124c2ecc76ef5192062

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
486de9d4f6f6760ae069661a5358a6fe

SHA1
f2263b23926f075e06493be81a18d0743a266e89

SHA256
e23c97d82b5e78c19b7390c2cb7d925579931085a4d372bfb40c95c3108a59b7

SHA512
e51371bbbb026a96a2aa8efd88f7b44297610669788deee810f36dbbe6f62454ad906251f4a5e08e1b971cd3e4a7aa4a0460a11e0cb9ffe6d98139cae8a28926

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulvyw.exe

Filesize
454KB

MD5
376ab3a5291351c968e311f5260e1f75

SHA1
1ba048fcae6837db3dc12d61c7244d757fdb8d6e

SHA256
6868a8f3822ed10773a1ec66dcae35967656fbdad622c941f6df3add7b016b87

SHA512
51da989ba14cf6b3634c0f7a8d01d77b8a3d42f91b7eb0508f843a8a69c2fbc4f7048d9a2c8d2c82861e7e1567594ca24ad5abe17351efa34ce09acb251b872f

Download Submit
memory/2524-0-0x0000000000A90000-0x0000000000AC9000-memory.dmp

Filesize
228KB

Download
memory/2524-6-0x0000000000620000-0x0000000000659000-memory.dmp

Filesize
228KB

Download
memory/2524-17-0x0000000000A90000-0x0000000000AC9000-memory.dmp

Filesize
228KB

Download
memory/2864-20-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2864-26-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing