urelas | d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede

General

Target

d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe
Size

337KB
MD5

04e240ee2f9ab0209ae9df67f16a2146
SHA1

8083458b4bd2c74384a9783b08c48811a27b2453
SHA256

d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede
SHA512

aa8a82c239411a05b134ba3aa6f74042b2fb6c98b7b3c984ebf48998a817ab01966c3a854248be1cb94f4b61391616d316de64f16c6de39c6c19b47be1ebf093
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVPR:vHW138/iXWlK885rKlGSekcj66ciEVZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1376	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	qiesz.exe
1876	bowyc.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe
2204	qiesz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bowyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiesz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe
1876	bowyc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2204	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	30
PID 2700 wrote to memory of 2204	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	30
PID 2700 wrote to memory of 2204	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	30
PID 2700 wrote to memory of 2204	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	30
PID 2700 wrote to memory of 1376	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	31
PID 2700 wrote to memory of 1376	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	31
PID 2700 wrote to memory of 1376	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	31
PID 2700 wrote to memory of 1376	2700	d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe	31
PID 2204 wrote to memory of 1876	2204	qiesz.exe	34
PID 2204 wrote to memory of 1876	2204	qiesz.exe	34
PID 2204 wrote to memory of 1876	2204	qiesz.exe	34
PID 2204 wrote to memory of 1876	2204	qiesz.exe	34

C:\Users\Admin\AppData\Local\Temp\d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe
"C:\Users\Admin\AppData\Local\Temp\d0f753d25f44cd8a7425bd26acb10b04124b93ea1dce615f421f67beabb8eede.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\qiesz.exe
  "C:\Users\Admin\AppData\Local\Temp\qiesz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\bowyc.exe
    "C:\Users\Admin\AppData\Local\Temp\bowyc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e631a28e907fdd992faf6b98e396d7e

SHA1
2ae635dd93ccb54d4fc3c477031ad55b71105f4c

SHA256
f0ec429b7ecf5fc7e9e23bd747228b181f6a8287b29a87fc67546999c870de70

SHA512
326bc571c95a108a75bc11b07e26e64f4261f2beefada101e9bc9b63d076e096c951dfd8c42593618c2d0a1a79d672123a2ab0496630f8c66c17003423ddd296

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
19a1b6494dea1be5bc400fb35a762a53

SHA1
7c1c320b070653ea34b0feb1271416c8ce09fb9c

SHA256
cb838759eef1c722af3f5220c809a438f0542e153d28e2469cc7b847f81f2e78

SHA512
6b0d32d9a70e199f12db4ae228d4d396608c082928052f159ffce97890325ec465b5cd88d5bfb768cf43f74f37aca702b2d434d75e5826d93ca84da7e2ebe262

Download Submit
\Users\Admin\AppData\Local\Temp\bowyc.exe

Filesize
172KB

MD5
a7fbc3369668cedb98713b59955d77f9

SHA1
f4e322fd59074281f61ec3605173afc2ed32d79b

SHA256
b3d271fcda09e33989f6c7511751e1afdcd836b88161dd8b7771d90e2beece48

SHA512
59b44b24f5796f183a085933a6a40a124f4021080a67c775d5a0f9a26d5e74470415c8459bed9ea6a68b7468d3271744f452a4025490bc4d6434403c4e3adfc4

Download Submit
\Users\Admin\AppData\Local\Temp\qiesz.exe

Filesize
337KB

MD5
740238a0ca5a643ccf267e3fca987450

SHA1
51fe3558ba63b65e1767eb4f7212e73fec2f3bb2

SHA256
c4afb5342ab9c09d21daced8af7262cda033f17987ca7ded73eed5d612aa3c65

SHA512
1acc6a7a464dda23fa122895e207c71a1cc6f64d45fbe92f02e0678d2c4348adb86613c2c1a31f91b981d18a475be0c75d8968c27894101b008ed89e7055e030

Download Submit
memory/1876-42-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/1876-48-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/1876-47-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/1876-43-0x0000000000E20000-0x0000000000EB9000-memory.dmp

Filesize
612KB

Download
memory/2204-39-0x0000000003D40000-0x0000000003DD9000-memory.dmp

Filesize
612KB

Download
memory/2204-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2204-20-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/2204-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2204-24-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/2204-41-0x0000000000960000-0x00000000009E1000-memory.dmp

Filesize
516KB

Download
memory/2700-18-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download
memory/2700-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2700-0-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download
memory/2700-16-0x0000000002710000-0x0000000002791000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing