urelas | e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689

General

Target

e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
Size

425KB
MD5

efd780ff0685a16488a3e464a7585376
SHA1

b50b621d019b381f3c38911ce046ec4652d9e27e
SHA256

e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689
SHA512

41f7e68639461047f158a27e7abb113724a7d51d4308add6ab9f320d1360aabb4f906fb1544c7c5f8c56379be84130d4ca522b9869ed963a106adf86fc335a60
SSDEEP

6144:NKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwX:AOgwmisETzuaeDPvjJ81VGqK6GvPc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2260	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	qiesz.exe

Loads dropped DLL 5 IoCs

pid	Process
2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1668	2552	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiesz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2552	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	30
PID 2388 wrote to memory of 2552	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	30
PID 2388 wrote to memory of 2552	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	30
PID 2388 wrote to memory of 2552	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	30
PID 2388 wrote to memory of 2260	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	31
PID 2388 wrote to memory of 2260	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	31
PID 2388 wrote to memory of 2260	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	31
PID 2388 wrote to memory of 2260	2388	e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe	31
PID 2552 wrote to memory of 1668	2552	qiesz.exe	34
PID 2552 wrote to memory of 1668	2552	qiesz.exe	34
PID 2552 wrote to memory of 1668	2552	qiesz.exe	34
PID 2552 wrote to memory of 1668	2552	qiesz.exe	34

C:\Users\Admin\AppData\Local\Temp\e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe
"C:\Users\Admin\AppData\Local\Temp\e82b7c5b1c6dd19613e4b602425b3f451a4fc3a00055fe015a7d56857399a689.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\qiesz.exe
  "C:\Users\Admin\AppData\Local\Temp\qiesz.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 416
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0f3f0f5f07952b159057253d66bf2e11

SHA1
ee3b57ac1a1f0d868eb41a73309f221be0ada99e

SHA256
fcf9d283f50dfadfafae5016fdb2664d867cb7f29d3ca58f41336445af1783e0

SHA512
8a702d4fff71ec72dd6749f21a1c1ec8f341672963fa0e5ccb4d532d67619f19bbdbde7ac43b9bd08ef758476ee487c996f057504f1fa0d8b99616bc15694b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
945c96668f9b1f5b48059685db08d122

SHA1
fb7e56b305dc7379109678bb8dc60cdd91bdbafc

SHA256
567d2672b2577d4e501d825d1b42fabf6c02eb3f3d6ea42488605474dba0854b

SHA512
887dab8ef70322cc6bac7c4aa6a2cf8fbc60ddd846632f0a35e3d68e052c003c2978b1d77376adc817f9a43c4a9e0bd28106d64c61a924bc8071e64f3b18323a

Download Submit
\Users\Admin\AppData\Local\Temp\qiesz.exe

Filesize
425KB

MD5
49e199a986eb61adb6946937751621f6

SHA1
2a0e1f0b1af25696992032f9dfdf75553b895777

SHA256
cfc4252abb51ff4709c22950403ca49158cf9fc1924f5b9296ee9fc2a65fbbba

SHA512
726f6fec048c09a3a38c36c29f2bb187f81d96a1448f67de4788a30fcdb498d9b80b2038ff3c98c428f99308c9ae63ba39e29d52cba51cc802ec7b35987f7063

Download Submit
memory/2388-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2388-0-0x0000000000B80000-0x0000000000BB9000-memory.dmp

Filesize
228KB

Download
memory/2388-21-0x0000000000B80000-0x0000000000BB9000-memory.dmp

Filesize
228KB

Download
memory/2388-17-0x0000000000580000-0x00000000005B9000-memory.dmp

Filesize
228KB

Download
memory/2552-20-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2552-18-0x0000000000BD0000-0x0000000000C09000-memory.dmp

Filesize
228KB

Download
memory/2552-24-0x0000000000BD0000-0x0000000000C09000-memory.dmp

Filesize
228KB

Download
memory/2552-25-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2552-39-0x0000000000BD0000-0x0000000000C09000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing