urelas | ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06c

General

Target

ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe
Size

337KB
MD5

74237201f106e1b4cc7f9bd57239a8b0
SHA1

2aea8f5cddddd1be438504ee9d5ca6fb9eb44014
SHA256

ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06c
SHA512

72418e15f92cae5bb31584ecf3f4fc4083e5af3bbda433b36232c9d68a61d003862921de8cf65a1a87d621af6173e63aa4fa887a9b6a632d4de1e705d4886f5b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciG

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1276	ripew.exe
1380	yvzet.exe

Loads dropped DLL 2 IoCs

pid	Process
2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe
1276	ripew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ripew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvzet.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe
1380	yvzet.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1276	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	31
PID 2612 wrote to memory of 1276	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	31
PID 2612 wrote to memory of 1276	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	31
PID 2612 wrote to memory of 1276	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	31
PID 2612 wrote to memory of 2624	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	32
PID 2612 wrote to memory of 2624	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	32
PID 2612 wrote to memory of 2624	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	32
PID 2612 wrote to memory of 2624	2612	ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe	32
PID 1276 wrote to memory of 1380	1276	ripew.exe	35
PID 1276 wrote to memory of 1380	1276	ripew.exe	35
PID 1276 wrote to memory of 1380	1276	ripew.exe	35
PID 1276 wrote to memory of 1380	1276	ripew.exe	35

C:\Users\Admin\AppData\Local\Temp\ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe
"C:\Users\Admin\AppData\Local\Temp\ec7296b797b92c166939418f9b1720510222ad5ca9919c9a3f4781e81b10d06cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\ripew.exe
  "C:\Users\Admin\AppData\Local\Temp\ripew.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\yvzet.exe
    "C:\Users\Admin\AppData\Local\Temp\yvzet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
68882864ef7a0652d0ab980c3626f862

SHA1
3e804be8a27b669258344f35d6d039ecec8aba5e

SHA256
cd8626fc2ac08bcacacee30b24394ba19bf1c913347beb12d61cbd456e83e86f

SHA512
5b785b861401053e21e06809eae1b53bbb40be44000e6b58fc210fe00676dec2a9b78e8f2fd84d957ba33a4d4b829d79052ae24b7bc0b5853b005d3a4957cd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
90a6d283d5d51782ef16a4a31be1b859

SHA1
c359951ba1ee26b0759c656bd1ab286f5a85e631

SHA256
1ff257d8e67bc7735d448f076b87bd6a2c32e194d3f604283955a69f04dab765

SHA512
2f0f5343b036467f991ac6856342ad48b4764f0f09d51dd06d846726dbc027733820c1ac5a9308016c333bc8d8eb3210bb96168de8a2bdb86b191c8d12d606c7

Download Submit
\Users\Admin\AppData\Local\Temp\ripew.exe

Filesize
337KB

MD5
3851342f80826d1725d222d98c3197df

SHA1
8bf5c7491617479fd6ca19f340d7f9ab538b2882

SHA256
ef16220a4486f06d6ec57c6e43130fcb6f28ce095f2d4f02d31c47f82c0300fb

SHA512
0ae87c57893a146e2cd8330a40a733c5748f5ef0c6e182afd2315c8dc1dc6b1973f18155db1c820cbcd460934566eff59f283114ee748383aa57a3f0aa06dab6

Download Submit
\Users\Admin\AppData\Local\Temp\yvzet.exe

Filesize
172KB

MD5
3d0c73dff72c2a1b15e2b4bd9576b24c

SHA1
8141da247ae6bad1c52786a2e663eee3eace88ae

SHA256
f974751b713817c6ef93ddc4c92cd762ba4abd28b076ea7c2ab4bf800c4db622

SHA512
d3e15b6e35edffc91751774c78476ccfe6eae1297d2429c27fb151ad901c78f9108215bd20a0bf8dfea470e5574db2fe8b254ecee8ac8db055d01fa3bd2d3b6d

Download Submit
memory/1276-17-0x0000000001080000-0x0000000001101000-memory.dmp

Filesize
516KB

Download
memory/1276-39-0x0000000001080000-0x0000000001101000-memory.dmp

Filesize
516KB

Download
memory/1276-40-0x0000000000E00000-0x0000000000E99000-memory.dmp

Filesize
612KB

Download
memory/1276-25-0x0000000001080000-0x0000000001101000-memory.dmp

Filesize
516KB

Download
memory/1276-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1276-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1380-42-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/1380-43-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/1380-47-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/1380-48-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2612-21-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/2612-0-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/2612-9-0x00000000025C0000-0x0000000002641000-memory.dmp

Filesize
516KB

Download
memory/2612-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing