urelas | 2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55

General

Target

2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe
Size

335KB
MD5

7f1a038abd5a1f7b5450ac958c2f6228
SHA1

f1efd2e7674dcf608e4be0b48a9f5febde25c832
SHA256

2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55
SHA512

28ab0bb3dc5e83b77f93a94d4830a7bdcde1c2e8c40d602edec96a4b7bb066dd7135f3c2cbfea1fae03d756ced6850b118af8a02ae4a52ef18663b185b5a0026
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRu:vHW138/iXWlK885rKlGSekcj66ci2Y

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	siliq.exe
1708	biwuv.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe
2172	siliq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siliq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biwuv.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe
1708	biwuv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2172	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	30
PID 2368 wrote to memory of 2172	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	30
PID 2368 wrote to memory of 2172	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	30
PID 2368 wrote to memory of 2172	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	30
PID 2368 wrote to memory of 3052	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	31
PID 2368 wrote to memory of 3052	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	31
PID 2368 wrote to memory of 3052	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	31
PID 2368 wrote to memory of 3052	2368	2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe	31
PID 2172 wrote to memory of 1708	2172	siliq.exe	34
PID 2172 wrote to memory of 1708	2172	siliq.exe	34
PID 2172 wrote to memory of 1708	2172	siliq.exe	34
PID 2172 wrote to memory of 1708	2172	siliq.exe	34

C:\Users\Admin\AppData\Local\Temp\2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe
"C:\Users\Admin\AppData\Local\Temp\2726d4348e1cb9589171be272a5801b86f2bcf97489c70e66384e08822db2c55.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\siliq.exe
  "C:\Users\Admin\AppData\Local\Temp\siliq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\biwuv.exe
    "C:\Users\Admin\AppData\Local\Temp\biwuv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
21ac784e23b6126b7080b1e757b9d322

SHA1
5164a67da448d36fa22ff1c014b5282745d7d12f

SHA256
05a4d2a1c76cc1c0d601559ac7b164bdee1a74d926be50c07a3202f5d257399b

SHA512
c86cbcec89d5121bf964f0115f7b1ee47ca0546b451007505294ab9cadd632183e5d936684cb8be9b2225ed07d7f210faba15bb87fa2eadfb67a8d8a95c7e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\biwuv.exe

Filesize
172KB

MD5
12a90fc253b39d24ca88727a94778f33

SHA1
a8b93fad1ae604168893cb6130d5f1d839582835

SHA256
bbccdd25b7a2785bcf0930b09319652847dad766f19c752b0a8723bb47c2dea6

SHA512
2148f3e3ad542abe0fbe3affcbe4a4afc56bb1de17b64edae5d3ca9e09b3536d7927d285b9021812c3a863f187be58de882c919ebbf6da380f13e24d9e8a6679

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8dce4e89ea5997e968f56cd50b00d023

SHA1
df8cfe3d160d76145bdcdd7e00f91bdc4379f44c

SHA256
6cabba8945ba1b12c330f2fc737f2e035c7de2e6dba4bf838d091666bf85f465

SHA512
ad8e278fb45973028b0bf7cc99e3f46e377127d39e08e6ed904b218ec53a1a26415fcdf06b4ad9929a655d22eb7900e3fe14ac44afd25a508f89d5d873ba5611

Download Submit
C:\Users\Admin\AppData\Local\Temp\siliq.exe

Filesize
335KB

MD5
a704f508b9770395630dd872f35e0739

SHA1
2d97c116c1c9e90da50f9336636de1ff1197490d

SHA256
294281c8e3f3f48b6e7902e3cf441234516803cf51ba7f82e31f6f8f51469fd7

SHA512
8cfb86701aa779a005255471bf415be3d877cb6b0168079e6d67e3df3ea9e70fc74cec278877d3a169d28099fe27a9f9e22207e5069d732f95650e24daa52f7f

Download Submit
memory/1708-49-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/1708-48-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/1708-43-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/1708-44-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/2172-42-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/2172-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2172-24-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/2172-40-0x0000000003640000-0x00000000036D9000-memory.dmp

Filesize
612KB

Download
memory/2172-19-0x00000000009E0000-0x0000000000A61000-memory.dmp

Filesize
516KB

Download
memory/2172-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2368-21-0x0000000000F70000-0x0000000000FF1000-memory.dmp

Filesize
516KB

Download
memory/2368-17-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2368-0-0x0000000000F70000-0x0000000000FF1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing