urelas | 117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53

General

Target

117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
Size

271KB
MD5

73567e499ad40ab2d37748a1ce3dadf0
SHA1

3bdf5bc966604d0d5c099700e5dc5ca4c8593bd9
SHA256

117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53
SHA512

588b08150b6356b3e9e89a48164f4f3c7c779f2a585925b9ba8d142b949d6537af516f12d150f671fad06ea001634da9424106fd1fa3ce55d72f5314438b25cf
SSDEEP

6144:SPdhP7Vq2S8GYlH9LKeu5exdoW7KkYGuH6lY:uhPjSCKeu0oEYGTy

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	xiofd.exe
1688	ujxag.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
2116	xiofd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiofd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujxag.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe
1688	ujxag.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2116	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	30
PID 2504 wrote to memory of 2116	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	30
PID 2504 wrote to memory of 2116	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	30
PID 2504 wrote to memory of 2116	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	30
PID 2504 wrote to memory of 2880	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	31
PID 2504 wrote to memory of 2880	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	31
PID 2504 wrote to memory of 2880	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	31
PID 2504 wrote to memory of 2880	2504	117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe	31
PID 2116 wrote to memory of 1688	2116	xiofd.exe	34
PID 2116 wrote to memory of 1688	2116	xiofd.exe	34
PID 2116 wrote to memory of 1688	2116	xiofd.exe	34
PID 2116 wrote to memory of 1688	2116	xiofd.exe	34

C:\Users\Admin\AppData\Local\Temp\117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe
"C:\Users\Admin\AppData\Local\Temp\117f2e97338db529f3a459880545924e8a8a9cf3b0c579fe79687b7599c08c53N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\xiofd.exe
  "C:\Users\Admin\AppData\Local\Temp\xiofd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\ujxag.exe
    "C:\Users\Admin\AppData\Local\Temp\ujxag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
a45ec746fe6711528ed98de386b55c4f

SHA1
79dcbb5a736e0a8cf7548e61edc31cde1e779255

SHA256
322d709677693f7d41a84d724d2cb638cfbd06bd1d652f4e1112bea3dedf9ae5

SHA512
5891c371f6b9d605b0b09f37c91c830f12ddaebef9fbfb390aafaa7c452f1707081f55dbd96482fd5d132caf2447341bb04b0fa24878867e5b27bbfbe3d073e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f25221597c76fd0cc2121c17646574dc

SHA1
5236b4bf912b96fa0971d20fe41ef50e0e95dc81

SHA256
1009bb572def4ba7c267c81cd7f6e0df80025fe1801694627a68141a6405a0ff

SHA512
a078b1fc2065439a3a76471f8d699feb01d0cf6fa2685d30426cb4873944e4ecd9d14a612ab5dac6128fe48870a466af99a6f2704148deb7a4ac72296a36b71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujxag.exe

Filesize
291KB

MD5
57801d39475f25f4037465ab5b5ba360

SHA1
692da848805ae8181033d286c84cd61e660ebbf8

SHA256
87ee1ec80c9e293d35ba34ed7747c5bb052359ce356c87980aba9822fb9f7a79

SHA512
54a5dcddb71a28423c45176a44f8dab69760540611bb22322b472876efcd785ee1aecf667ea39c8ab98f899620066b43d377247ed211526a55d2bd88962b2963

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiofd.exe

Filesize
271KB

MD5
3861b8735e23796c43095939bb1766c2

SHA1
f14c1031e8769364e216cbf62f2851a0cbc35f91

SHA256
0ebfde082de51013e376195127489d26465adad274e164b40901364034054595

SHA512
b5dd7633b3187beba3e576bf495ca4cd4ff6aedc707ead6ce69e26aa18c95cf8eb57149c324d62cfb6693b3e593a5b1658be66592c433d637d4cba92e536d11c

Download Submit
memory/2116-18-0x0000000000290000-0x00000000002FE000-memory.dmp

Filesize
440KB

Download
memory/2116-19-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2116-25-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2116-24-0x0000000000290000-0x00000000002FE000-memory.dmp

Filesize
440KB

Download
memory/2116-41-0x0000000000290000-0x00000000002FE000-memory.dmp

Filesize
440KB

Download
memory/2504-17-0x00000000023D0000-0x000000000243E000-memory.dmp

Filesize
440KB

Download
memory/2504-0-0x0000000000C90000-0x0000000000CFE000-memory.dmp

Filesize
440KB

Download
memory/2504-21-0x0000000000C90000-0x0000000000CFE000-memory.dmp

Filesize
440KB

Download
memory/2504-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing