urelas | 5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951a

General

Target

5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
Size

335KB
MD5

e387dd59054bfa8f949f413d4ce86540
SHA1

074d75500079b781a8e703eb50e9c96b068415e3
SHA256

5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951a
SHA512

1c607c72d6cc2223159e3034abc2e4fecf58c49b2414a9bc20f19ac257e213c27f273bb13eb5e78ee51e15fcb503f3a983dccb3bb82a8ddb96d348e500cf3bb0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRa:vHW138/iXWlK885rKlGSekcj66ci2Y

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
468	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	gowov.exe
1644	voezm.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
2064	gowov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voezm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gowov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe
1644	voezm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2064	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	30
PID 2380 wrote to memory of 2064	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	30
PID 2380 wrote to memory of 2064	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	30
PID 2380 wrote to memory of 2064	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	30
PID 2380 wrote to memory of 468	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	31
PID 2380 wrote to memory of 468	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	31
PID 2380 wrote to memory of 468	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	31
PID 2380 wrote to memory of 468	2380	5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe	31
PID 2064 wrote to memory of 1644	2064	gowov.exe	34
PID 2064 wrote to memory of 1644	2064	gowov.exe	34
PID 2064 wrote to memory of 1644	2064	gowov.exe	34
PID 2064 wrote to memory of 1644	2064	gowov.exe	34

C:\Users\Admin\AppData\Local\Temp\5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe
"C:\Users\Admin\AppData\Local\Temp\5cc95f1e8eabf6cb518ef694ea44878c426d4b5d1400aa5013d2c1fca2d3951aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\gowov.exe
  "C:\Users\Admin\AppData\Local\Temp\gowov.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\voezm.exe
    "C:\Users\Admin\AppData\Local\Temp\voezm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:468

Network

No results found

218.54.31.226:11300

gowov.exe

152 B
3
1.234.83.146:11170

gowov.exe

152 B
3
218.54.31.166:11300

gowov.exe

152 B
3
133.242.129.155:11300

gowov.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
bfe54d6fcffe988ce34ac3be8081d537

SHA1
5b140faf2d082ab6be8cfa3d52d8860f1509e773

SHA256
dcade3073e76d7bf2f873821fbadcb40e8e1f27bff9d8a44f9fc685a7d512a46

SHA512
4b0b8e91dfa613faa00e7aa2669ef5391f47df9046af4757c31fa16a4e21e62b5670e979f96ce1316f7fa174b5ceb0e60c23bed8f9eb71045dc3bad1e11b9149

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c193f530667ef1491c2f3a54f95bdfef

SHA1
c3052d226c4ca6772e9e27f8955029132ed5db36

SHA256
ffc7cd86403105759785d866b199fc7983cab3cea84147f1bcae9a9ae5afffbf

SHA512
228380cad1c51916004d0e318488dded0fe685cb4c22f93612aa49306289d6c3d80e9ec4740504557537917d2166e239bc5c2085335dbdc44aa230bc73790ba6

Download Submit
\Users\Admin\AppData\Local\Temp\gowov.exe

Filesize
335KB

MD5
915f3c3dce2c148472f48670caca7f6a

SHA1
faf3dceabcd3fd8db32b3986044537d4fc2876cc

SHA256
b506c9c36ce0d5b5c52c2e1b1306732ebdaa256fbf7585dff152c7cd659454c7

SHA512
af4e641e1eb39154be5adfee093f395e3fc30f7c1f87c7f324fec88e66bf47f36d03cdbf447b95b5722a993bcf1374c4a5193d5ff6e8e64a782606346264d700

Download Submit
\Users\Admin\AppData\Local\Temp\voezm.exe

Filesize
172KB

MD5
3923ae0dedf2f4e390aca41302e4829f

SHA1
4591a417f3cbda396b161c70abe921e78645b430

SHA256
e1e280cf1c58ed8fc4a6444e89c1082fc80c92314c423b8daf74332af8bf98a1

SHA512
bcec37acdf9add1fecfdadcb951ae3a23e9518bd55fa8465bb30799a21371fb39fe565bd06c9ab271b52036af6ef36bd565ff46eb23cf81df4d5d460e7cf2f2f

Download Submit
memory/1644-42-0x0000000000F70000-0x0000000001009000-memory.dmp

Filesize
612KB

Download
memory/1644-43-0x0000000000F70000-0x0000000001009000-memory.dmp

Filesize
612KB

Download
memory/1644-47-0x0000000000F70000-0x0000000001009000-memory.dmp

Filesize
612KB

Download
memory/1644-48-0x0000000000F70000-0x0000000001009000-memory.dmp

Filesize
612KB

Download
memory/2064-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2064-11-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2064-24-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2064-38-0x0000000003390000-0x0000000003429000-memory.dmp

Filesize
612KB

Download
memory/2064-40-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2380-9-0x00000000025E0000-0x0000000002661000-memory.dmp

Filesize
516KB

Download
memory/2380-21-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/2380-0-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/2380-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing