urelas | 0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807

General

Target

0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
Size

335KB
MD5

8cb4de3ec7aa600f32bda077dfa76d70
SHA1

a85ae20ee43c62b6db8c32c7409fbb424e5842d6
SHA256

0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807
SHA512

f111e57b24edbe8a93dacb9cc2fae513561b955895517730213d231cc7690817af0d069ded2a5aead25e5d7ab4a041ef20d7a2e31034632cad1350ab848cd6ef
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2092	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	avwow.exe
2368	pizoo.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
2356	avwow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avwow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pizoo.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe
2368	pizoo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2356	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	31
PID 2480 wrote to memory of 2356	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	31
PID 2480 wrote to memory of 2356	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	31
PID 2480 wrote to memory of 2356	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	31
PID 2480 wrote to memory of 2092	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	32
PID 2480 wrote to memory of 2092	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	32
PID 2480 wrote to memory of 2092	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	32
PID 2480 wrote to memory of 2092	2480	0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe	32
PID 2356 wrote to memory of 2368	2356	avwow.exe	35
PID 2356 wrote to memory of 2368	2356	avwow.exe	35
PID 2356 wrote to memory of 2368	2356	avwow.exe	35
PID 2356 wrote to memory of 2368	2356	avwow.exe	35

C:\Users\Admin\AppData\Local\Temp\0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe
"C:\Users\Admin\AppData\Local\Temp\0e9b77ed79254116378600a4230410912ae913f7265890881554795c398ad807N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\avwow.exe
  "C:\Users\Admin\AppData\Local\Temp\avwow.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\pizoo.exe
    "C:\Users\Admin\AppData\Local\Temp\pizoo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8a3655a66124934fe99d94396b7b8feb

SHA1
37b47c752d7432384618d44f6898635a2807e1e2

SHA256
27709208b3da2982a365e2434da68922716686268fd33791b549e7e609c67ca5

SHA512
958dae655b5ea92e143d4e207d712235c8117093b47bb754c26fc4abfaef68273520b54ebb32a66af64de0a26e5b1baa78dcd6a494021edcc472152f0c4ba8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4241b74ed86a5a745db76a85733f645e

SHA1
e91b98f6c7d03e1637c8daac639d71a385966b16

SHA256
75589df22f037607532c3b07b2543475cdf1f3d3c3f12501585fa1a484f89b1a

SHA512
07239c4f5139bcc4d2b5c6659f5d3963068bcb63f20383d07b8c64a7bc7e1850d71209ef37f33b5ad11f8acf7fdb7c109e4a28f43ef5de03b66610cb71657cae

Download Submit
\Users\Admin\AppData\Local\Temp\avwow.exe

Filesize
335KB

MD5
db65a28b55b18dd230210d071c1db86c

SHA1
ca1aff41448cc4bb514a9fd2667dbeb903ff1dc3

SHA256
3a5c48f060cc2ea7c4bd9a5a308b067fd755cff05ae7e62717edeeacab50c9aa

SHA512
8cff6ada9e6894e50e61d5ddad7e9700ae33fc9f97e8664d465a1bfed8a4385637535f0d2f1cc59d6851984650e91dc9500b1e6cde0775cdbfa41269b16d585e

Download Submit
\Users\Admin\AppData\Local\Temp\pizoo.exe

Filesize
172KB

MD5
fdd53b009d989806ad9f80151f6e3d7a

SHA1
ded688cef1eda076a30fc5711a94a272f04942aa

SHA256
6b9b8e43c23c42543148a3765d49ebc0f2cb811c46c6ac1e99ceb514982dc91b

SHA512
5c01471c302fae99a87153afb582d31c2f8e5900089ac88488c2662eee212fe20899740679fb1d26b277ac9675bff432aef5714e1f51ce27bb91b578e33e3449

Download Submit
memory/2356-24-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/2356-42-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/2356-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2356-11-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/2356-40-0x0000000003550000-0x00000000035E9000-memory.dmp

Filesize
612KB

Download
memory/2356-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2368-43-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2368-46-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2368-48-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2368-49-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2480-0-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/2480-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2480-21-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/2480-7-0x00000000024D0000-0x0000000002551000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing