urelas | a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5

General

Target

a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
Size

335KB
MD5

04d68eaf478d47657476caf43d7285c0
SHA1

ce15233f41f268c12fb404dee0fd43278a8ea1a7
SHA256

a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5
SHA512

1ad03af4af901ca022b64a9d2e630219fc546afa72ee3ab978413b7cdb1c0cc651074b28bac870b1ba27e3b883e3d64524e33d63727403fdaabf090d500543e5
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cir

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	kyseb.exe
1628	pizie.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
3060	kyseb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyseb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pizie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe
1628	pizie.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3060	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	28
PID 2080 wrote to memory of 3060	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	28
PID 2080 wrote to memory of 3060	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	28
PID 2080 wrote to memory of 3060	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	28
PID 2080 wrote to memory of 2616	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	29
PID 2080 wrote to memory of 2616	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	29
PID 2080 wrote to memory of 2616	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	29
PID 2080 wrote to memory of 2616	2080	a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe	29
PID 3060 wrote to memory of 1628	3060	kyseb.exe	33
PID 3060 wrote to memory of 1628	3060	kyseb.exe	33
PID 3060 wrote to memory of 1628	3060	kyseb.exe	33
PID 3060 wrote to memory of 1628	3060	kyseb.exe	33

C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
"C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\kyseb.exe
  "C:\Users\Admin\AppData\Local\Temp\kyseb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\pizie.exe
    "C:\Users\Admin\AppData\Local\Temp\pizie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
c172a424cc00b26d4d85581ae514e7d8

SHA1
a7ecdb5ec063dac988c82b20d1f0a86b92614006

SHA256
5b527a29c060d697eec47886c68afd011769d9228bdd88908fe3830785e07fe3

SHA512
d84c0f57c681eea26dee174c9a60bbe3f7a1442ac30ce38b05e57fc9e4b94c44f208eaa2112f913be04cce8459aeb959a4990b3c002ad09803e8fb80fab5b12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d64632faac143ebc477f72d53d5ff345

SHA1
d4319b207caee0f2bbddaf34f9fafb0734a8ceec

SHA256
57effa4e2b1c8ea623219efdd437f4488a9e06d8714ef939745c908433a02fe9

SHA512
7de744c84bba1023b126b6d2c67ed8fbede4ef1c98e45384561a3c034641b16a39173a97765a633109d1748a60be0e6e5b6c7eb8f3b93d4a39ef461614ed49fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyseb.exe

Filesize
335KB

MD5
5cc9ada4e2fd08a73aadf90f232ec133

SHA1
4ddc417b4d5b24975b512f213dc907292df9106b

SHA256
9490cce45b85b0ed5c45192b19307c4ee1e02ac55d7b72fc221b47cda75fe443

SHA512
3d41d194ad7fd223247f3bd3e268f0d5b094f320fae02ac75af346cd6a8f8dbc02583638f4433ee8b64ab34228d00677ddbdeaead8d0e4fbfbf2410bafce8a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pizie.exe

Filesize
172KB

MD5
a41c0e50e2df96e681a7cb6d881395ea

SHA1
cbdca18db3b9e75a318e028b9d7d3375d590d4eb

SHA256
ea523b6b39305cebb64ecc81be4edaa458b5065e5a4618bfbd82eed000d83005

SHA512
2259e9cf73fd58ebd8de8a7faf2af3eb1a9e9e245a8fe82d890746948ffed032c71869af5641a01dd216a492600ffc5776007437ca83037e1b66174fa5292e1b

Download Submit
\Users\Admin\AppData\Local\Temp\kyseb.exe

Filesize
335KB

MD5
770c2582e75ed490ff3c9887a2a3caad

SHA1
fd3e6c90664c74e009de8152a496582da748c743

SHA256
af9f85844b0d610ae3956dc9e3f7e61d225083f766e7ac6ce8a5d2241b281446

SHA512
7d047840e06a68010ead45c0b586c1f33b5529dbfad73adb3d8540c54973eb294dad24e92a56e1bf90a9ab639c61926802569e713deb5d8a8c8895e5e449725a

Download Submit
memory/1628-48-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/1628-49-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/1628-43-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/1628-42-0x0000000000D30000-0x0000000000DC9000-memory.dmp

Filesize
612KB

Download
memory/2080-21-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/2080-0-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/2080-9-0x0000000002670000-0x00000000026F1000-memory.dmp

Filesize
516KB

Download
memory/2080-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3060-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3060-39-0x00000000003A0000-0x0000000000421000-memory.dmp

Filesize
516KB

Download
memory/3060-40-0x0000000003BE0000-0x0000000003C79000-memory.dmp

Filesize
612KB

Download
memory/3060-24-0x00000000003A0000-0x0000000000421000-memory.dmp

Filesize
516KB

Download
memory/3060-17-0x00000000003A0000-0x0000000000421000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing