urelas | 511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9ed

General

Target

511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
Size

508KB
MD5

eb48477271572c6589faed3de0a22420
SHA1

ad4fe8092ab79c942e4f55c82dc160bb95885258
SHA256

511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9ed
SHA512

74f037cb5f2174f478adcdde225b1f9fa66d2477ef99c79cee66bbb3abcbcff5be80b4f38e7f9c0c881978da74bf1814331494636319b31cdb5f07e9f8f1661f
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKop:3MUv2LAv9AQ1p4dKY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	lywuk.exe
2788	cisuc.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
2308	lywuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lywuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cisuc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe
2788	cisuc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2308	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	30
PID 3000 wrote to memory of 2308	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	30
PID 3000 wrote to memory of 2308	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	30
PID 3000 wrote to memory of 2308	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	30
PID 3000 wrote to memory of 2948	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	31
PID 3000 wrote to memory of 2948	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	31
PID 3000 wrote to memory of 2948	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	31
PID 3000 wrote to memory of 2948	3000	511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe	31
PID 2308 wrote to memory of 2788	2308	lywuk.exe	34
PID 2308 wrote to memory of 2788	2308	lywuk.exe	34
PID 2308 wrote to memory of 2788	2308	lywuk.exe	34
PID 2308 wrote to memory of 2788	2308	lywuk.exe	34

C:\Users\Admin\AppData\Local\Temp\511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
"C:\Users\Admin\AppData\Local\Temp\511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\lywuk.exe
  "C:\Users\Admin\AppData\Local\Temp\lywuk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\cisuc.exe
    "C:\Users\Admin\AppData\Local\Temp\cisuc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
47bf8eb2e74fc36b06ac669ef243a886

SHA1
852f333eab64749106ffcecb52d764ddccf455c1

SHA256
190af1c1580486206366aa42f93623b91e71b5b21a48dffb88fabbe9b3e9e270

SHA512
73c096e9c503837b3c09f26cd0abf7ef14aa276a758684a8df71cfac4739a28233d5c62577fe10ea839eab1d712f4c84a7ecbadbb74d0f8dfc7de3d857097e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f959f67f2222b0f10d43426f3e0a23f0

SHA1
3246bec677ddfacbcc3fd083be0de5aded3fde2a

SHA256
112e48960801c88d201cd8dc922ecb199c41bdbdbae1b16309e86a3c24326b81

SHA512
465cea7a2f2110a777b6a48d587336495b91ae42e8ce29ef480c6f4bef8c5c347c9bbe1323a19d7dee84d05a4f505aad68b48a08e98716edfefe02e51f164f40

Download Submit
\Users\Admin\AppData\Local\Temp\cisuc.exe

Filesize
172KB

MD5
9ce5821a8ab0e442f38f2231db918c20

SHA1
52be702c14ed1d0936d40aa63aa926df0189e9b0

SHA256
19e825e2ee17dc3441cb084d4e411c9c263fe96ac1bd6cbf6c81cffdad62a622

SHA512
3edac71c2b5a34abce827a24bf05796eeb1b3f3f9c972bd8ecdda224b34f5dcfbfb413f0d2bc2d7fc431ceaec76d82fa9d4aeb8d821f08873d3782f9d6e2646f

Download Submit
\Users\Admin\AppData\Local\Temp\lywuk.exe

Filesize
508KB

MD5
d42355792fc618e052b5e6bd0860dfcf

SHA1
1edeb2feb377306cf33e80151a0568cb5629fca3

SHA256
a25f859d6fc20e66360e0e0279ea9f9fb85098acebfc28443eb7412c32f7a7f2

SHA512
973ab58ebe26ecef0f86f53c2edd400087018132e154c68be98195e44733d4bfa39faac8ae40199f0bcd2d16ddbaaac5645706f14df02e7099d5fa227b786171

Download Submit
memory/2308-26-0x0000000003770000-0x0000000003809000-memory.dmp

Filesize
612KB

Download
memory/2308-16-0x0000000001140000-0x00000000011C1000-memory.dmp

Filesize
516KB

Download
memory/2308-21-0x0000000001140000-0x00000000011C1000-memory.dmp

Filesize
516KB

Download
memory/2308-28-0x0000000001140000-0x00000000011C1000-memory.dmp

Filesize
516KB

Download
memory/2788-30-0x0000000000090000-0x0000000000129000-memory.dmp

Filesize
612KB

Download
memory/2788-32-0x0000000000090000-0x0000000000129000-memory.dmp

Filesize
612KB

Download
memory/2788-31-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2788-37-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2788-36-0x0000000000090000-0x0000000000129000-memory.dmp

Filesize
612KB

Download
memory/2788-38-0x0000000000090000-0x0000000000129000-memory.dmp

Filesize
612KB

Download
memory/3000-18-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/3000-0-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/3000-15-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing