urelas | 605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97

General

Target

605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe
Size

592KB
MD5

e4a8a7b2157919d1514b7326d9fbfe80
SHA1

957b115b1c3d866d3bf1c8c9c6fa9dfec955b7f9
SHA256

605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97
SHA512

b9e1579c06eaa8c65f6feecb82a28ec35121c6e9cdf436b87d9120fb9c2c18bfbcbe305860a8f044c2ba225d8f969ca0cc94179554ef7a06f504235ad11b33e3
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRi:C4jm0Sat7Az/gZvTIq2WKkw0Fg

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	difes.exe
2004	rurol.exe

Loads dropped DLL 3 IoCs

pid	Process
1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe
3032	difes.exe
3032	difes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	difes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rurol.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe
2004	rurol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3032	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	31
PID 1792 wrote to memory of 3032	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	31
PID 1792 wrote to memory of 3032	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	31
PID 1792 wrote to memory of 3032	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	31
PID 1792 wrote to memory of 2924	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	32
PID 1792 wrote to memory of 2924	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	32
PID 1792 wrote to memory of 2924	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	32
PID 1792 wrote to memory of 2924	1792	605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe	32
PID 3032 wrote to memory of 2004	3032	difes.exe	34
PID 3032 wrote to memory of 2004	3032	difes.exe	34
PID 3032 wrote to memory of 2004	3032	difes.exe	34
PID 3032 wrote to memory of 2004	3032	difes.exe	34

C:\Users\Admin\AppData\Local\Temp\605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe
"C:\Users\Admin\AppData\Local\Temp\605a69e8e29d36e72a7aa2bc021f9140762c166d2a254fb9a6d5346e38ec7b97N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\difes.exe
  "C:\Users\Admin\AppData\Local\Temp\difes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\rurol.exe
    "C:\Users\Admin\AppData\Local\Temp\rurol.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
a046b1422439be8068ba7db83ecc117b

SHA1
a463dac4c35cee2f4f115bf4777cb423717fed8f

SHA256
0f24eac36c8b282247dd3c75975bf0b2c1d90a5d9b7e1fb1e079d01b80fa4e0c

SHA512
9f696134a6136abae67e971dfe691de21e003c187806fcc285d70adbb4b98ccd393482c78c739386220a68421bbc214fe88878d862078f925d2e8ec66a009f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\difes.exe

Filesize
593KB

MD5
f965d856bee81a6c65867ef1802fd7d8

SHA1
19da1d24dc80a35e3232d9ed6e44b186c936a888

SHA256
5cea9900a8ae17de85ae5d08dd6932623109d0efe8eb2be52d385e5c66a1f6e1

SHA512
70f56a6d30b16d36d1077ea5431fb81b8f5de87cb780cd46f67786c4ff7e4b9ccb2eceaee2567e429a1d73691e8fa895e958c98a0981bcf6c9f6ac1e384f5be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\difes.exe

Filesize
593KB

MD5
f51b1c5ff9a0184b9c0895fc459fc2ef

SHA1
24eedc179d17808d6e3bceb702f4ae48651f50ba

SHA256
ef880e13c84a5aa38d6a1fa759d015a606f13171ddb459365909892290591605

SHA512
b4fc74a4a8ce0cc9e8b3fb3bce0f7c99e9776203a710082704d506f3557d91d24f50c5027ff5f830a602a52bb98341d5066c64d211b8d51342722442c3fd4d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
45a201cfb8ec0bb4c8638a19a6b7e649

SHA1
a1ab1cecdc82ef0f07ddc307e53b59a32cc2f55d

SHA256
5ddffa16b333460ed18f0ec869a32cebea7ddfcd185cd3545af9faa334eedf51

SHA512
94ae86423221a3d50facac8f2c017cf061cc59ad8ac608f0621419881b60390f5ea10836b8b1c2375172c548f98e28e3d320f35474d8f3ea1f69de13b37336ab

Download Submit
\Users\Admin\AppData\Local\Temp\rurol.exe

Filesize
323KB

MD5
49679825676065b3b821f44c990e361b

SHA1
b19c0c5e6ae61c73b4668182063f7280d16c3d1c

SHA256
69cac7a1e234a384fc1634474f97a405a80280267370d5a03397c25e2aebf62f

SHA512
ba5347c6cd0e8327bf42b67f49895d55fb5718e4e9374ff9ba32780cb6dd04ab645c54f5ae43b7dbc0c7b8b8b3efa20f3a69bd6587074335874b0eb1c31f93c5

Download Submit
memory/1792-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2004-29-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2004-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2004-33-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2004-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing