urelas | 7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996

General

Target

7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe
Size

81KB
MD5

dfa25f0acaa7973961aa79611dd97bf0
SHA1

58210f982b4038ff4fd3090a9f283db0b7f47ef0
SHA256

7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996
SHA512

e2217d93601aab16d54c0b4ff1798b60df14c950cb123b15bcf1bb198cca92430ffb0fbe15aad65f493cfa7c191996c73a5e9e3878f9c984859d6cbb83832c33
SSDEEP

1536:zxKyhnAUfUiZR9G84qk+Be/HZ17hmZpDsxu1d:zLCEZTGx518ox6d

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	poldge.exe

Loads dropped DLL 1 IoCs

pid	Process
3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poldge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2872	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	29
PID 3016 wrote to memory of 2872	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	29
PID 3016 wrote to memory of 2872	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	29
PID 3016 wrote to memory of 2872	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	29
PID 3016 wrote to memory of 2888	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	30
PID 3016 wrote to memory of 2888	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	30
PID 3016 wrote to memory of 2888	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	30
PID 3016 wrote to memory of 2888	3016	7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe	30

C:\Users\Admin\AppData\Local\Temp\7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe
"C:\Users\Admin\AppData\Local\Temp\7fcddc301a4f24b1a1ca0024899e60efad7d76e4c4543988e22047baeb772996N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\poldge.exe
  "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af6f90fee60d60070d9076eba7533c76

SHA1
015da84cb0cfce8699e8b1937dfac54a15e7e792

SHA256
14360d90f621ef9e1d84b269de67f782c9f6a904cf3226c2724d4898c157b687

SHA512
53ce60ef6f9dc9241d106d4e160833430e7855a221babf9835578096313a7a8ba1285df8d5620850ffe9f41f860e04e758a2f0be6fe688a87ea13d780234c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
1dda736093c69f328b0df1321a5c8ce5

SHA1
f3ffa9e7aaa26382466ff3525420587c2720ebf4

SHA256
1078c68e65de033204fd433cbc085c54807c164af5ded99e781468045001ce8c

SHA512
2dedd4b9fcb2ca4f6ad5402fd86fcd6c58a3635adccd0099ea90fb82d0ed6c209298d2819f45b3052968c0651f2cc7b1ddc5c176a528071093a3e08ceee8729d

Download Submit
\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
81KB

MD5
458af9325ac5711acca36f1e0b88f947

SHA1
2b511c475f2b56d1a56a88e2bbce4effdbb9ed30

SHA256
2ca6acee33f9884b9c7e64544105d4292382e0aa6749f2d883616198e13cdcca

SHA512
9defb8c9946ab6d4b6913a7dbfec89c49032083dca6f92c210f6e06e63d3c377620a509418c5305a2533cd59f51a8e0b714e7faa537396144062959dca3b285d

Download Submit
memory/2872-17-0x0000000000A50000-0x0000000000A7E000-memory.dmp

Filesize
184KB

Download
memory/2872-22-0x0000000000A50000-0x0000000000A7E000-memory.dmp

Filesize
184KB

Download
memory/2872-29-0x0000000000A50000-0x0000000000A7E000-memory.dmp

Filesize
184KB

Download
memory/3016-0-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/3016-8-0x00000000003E0000-0x000000000040E000-memory.dmp

Filesize
184KB

Download
memory/3016-19-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing