urelas | fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69

General

Target

fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
Size

335KB
MD5

714315fad3e335b5c939b4a8e0b2fcd0
SHA1

7bdfff1f79148b07533a1cb44297ca9f7b61baca
SHA256

fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69
SHA512

70dbaa0e86243871e9872fdefa6d7d1b49777ebee96316812b40f9c53b0cb32278be6501a4f8729734c04e243ad726f08283f6ee59970dfdeee4307942eff86f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIQ:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2992	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

desya.exepizyd.exe

pid	Process
2200	desya.exe
2408	pizyd.exe

Loads dropped DLL 2 IoCs

Processes:

fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exedesya.exe

pid	Process
2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
2200	desya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pizyd.exefdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exedesya.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pizyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pizyd.exe

pid	Process
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe
2408	pizyd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exedesya.exe

description	pid	Process	procid_target
PID 2536 wrote to memory of 2200	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	30
PID 2536 wrote to memory of 2200	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	30
PID 2536 wrote to memory of 2200	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	30
PID 2536 wrote to memory of 2200	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	30
PID 2536 wrote to memory of 2992	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	31
PID 2536 wrote to memory of 2992	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	31
PID 2536 wrote to memory of 2992	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	31
PID 2536 wrote to memory of 2992	2536	fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe	31
PID 2200 wrote to memory of 2408	2200	desya.exe	34
PID 2200 wrote to memory of 2408	2200	desya.exe	34
PID 2200 wrote to memory of 2408	2200	desya.exe	34
PID 2200 wrote to memory of 2408	2200	desya.exe	34

C:\Users\Admin\AppData\Local\Temp\fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe
"C:\Users\Admin\AppData\Local\Temp\fdc6c9e29a51b677a545312d15efc66907a69d56ba13ae06bcbfbe49cbca0a69N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\desya.exe
  "C:\Users\Admin\AppData\Local\Temp\desya.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\pizyd.exe
    "C:\Users\Admin\AppData\Local\Temp\pizyd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
1884aed314a1b1d92aabe4ca9abd3232

SHA1
45f21b5d7099a1795f0e6f91b322b45e33a9254b

SHA256
4d6d01a4f1d837e820add08398950d383dffbfc15a729520bca482aa2b7b436a

SHA512
d67087f32b0fa3a8d756139a678841ea9e4d2c35e115bc9cfc7cf15137cbb411f7e5b93aaea5597e43ee6773ac7b940d6aaad5d2bb942889a99e415ce2a8a457

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c3233868c26e87e935259cc053941b19

SHA1
df0bbf16b1c9873653a8138cd41df702f6f49b05

SHA256
baabaae6d2b8611ec956fb4ab613792c97f34cebf6510479db06d69b4d600732

SHA512
e1719d4460c33d2cb26939f5e299888144612211fb23723a335cc054837892d87aade6ce1849e4a633900613975720117643626f3ae9ce4a0340392659e20423

Download Submit
\Users\Admin\AppData\Local\Temp\desya.exe

Filesize
335KB

MD5
c1036cb6712d18032a43099c7619a537

SHA1
a407affe08d9f254ae087d5b259918302d6e35fc

SHA256
950c504d6208217b3d4b0794177c57983fa9725d0ffbc1dd4f2c34149a332a4b

SHA512
cc0450d77331b3c098fc4dfb69b8321e4d5ead595fdc73dc9a89c9aee30b26cb168bfb2913dc3681966ef10ecfb63f215add113c62a24ebf43f78b7784fc46a8

Download Submit
\Users\Admin\AppData\Local\Temp\pizyd.exe

Filesize
172KB

MD5
a819e5ca90a12e5e648c2c9e92e05d75

SHA1
669192cb0041653df3d9f0e8403ca059001a16dc

SHA256
c16ec9ec4b4b640ebf5f7cea8928ec676e360c88d445502b57327ae930b997f9

SHA512
fbdbdcc24a63ff375979e8f80a8c1d030bcebe770ee7be3cd7a6d1efdeecde23b06051b1e275fcb0c717b1108b6d06a7c699f414a891eb16d8b7cce4bc961a3c

Download Submit
memory/2200-40-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2200-20-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2200-17-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2200-23-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2200-38-0x0000000002D40000-0x0000000002DD9000-memory.dmp

Filesize
612KB

Download
memory/2408-39-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/2408-41-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/2408-45-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/2408-46-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/2536-16-0x0000000001120000-0x00000000011A1000-memory.dmp

Filesize
516KB

Download
memory/2536-19-0x0000000001330000-0x00000000013B1000-memory.dmp

Filesize
516KB

Download
memory/2536-0-0x0000000001330000-0x00000000013B1000-memory.dmp

Filesize
516KB

Download
memory/2536-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads