urelas | 3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7

General

Target

3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe
Size

505KB
MD5

6568e820aef4d499b2f11377d870f4f0
SHA1

2d7a5cad37d6ed0379ec87b50b85046abbeae1c9
SHA256

3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7
SHA512

3dc6f3122779c75eb2676402283bfd6cb00072cf994dc7487b531d483da12e603a20b094548cb32153b9ef4ebeaf4a23e1031aa5d260021d631b10069221210d
SSDEEP

12288:N/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFo:N/D0caF8wvhb43pDbo

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	eztim.exe
2764	ziifx.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe
2796	eztim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziifx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eztim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe
2764	ziifx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2796	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	30
PID 2648 wrote to memory of 2796	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	30
PID 2648 wrote to memory of 2796	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	30
PID 2648 wrote to memory of 2796	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	30
PID 2648 wrote to memory of 2404	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	31
PID 2648 wrote to memory of 2404	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	31
PID 2648 wrote to memory of 2404	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	31
PID 2648 wrote to memory of 2404	2648	3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe	31
PID 2796 wrote to memory of 2764	2796	eztim.exe	34
PID 2796 wrote to memory of 2764	2796	eztim.exe	34
PID 2796 wrote to memory of 2764	2796	eztim.exe	34
PID 2796 wrote to memory of 2764	2796	eztim.exe	34

C:\Users\Admin\AppData\Local\Temp\3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe
"C:\Users\Admin\AppData\Local\Temp\3a5c7544f105f43cd94227ba4844167c42538e4ac4f5944ef4528f0521b3cce7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\eztim.exe
  "C:\Users\Admin\AppData\Local\Temp\eztim.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\ziifx.exe
    "C:\Users\Admin\AppData\Local\Temp\ziifx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
351e5035882ef3fb0980c333d9438712

SHA1
7ac142096eeb461f8b1daa080d1412ddd2003ae3

SHA256
302ff071987d3fa0420ddb9dc5844949feb835d36646a9649fa60947ae5b7874

SHA512
2a7760e88a0bdbfe0dcadc2ca67eeb1b2321b524b617029fa923636237bdd10eac0e0961448586901eb4bf66f843476a81ab9b44b4cbe05a29c881c0d6cd3922

Download Submit
C:\Users\Admin\AppData\Local\Temp\eztim.exe

Filesize
505KB

MD5
db917fd8c7134c309f8051d74c2f53ee

SHA1
db227d3ff43a2e3ac15843d591ce7695b0e89487

SHA256
f6f5ce1e1fc9108ff9f6a1d4c7f7fdf94e5f334f8ee14e5d7ca2ebebdd790fea

SHA512
37650f3ff60f36fc158f31cc15673e58222686c94af1dc7b75f6bb37f928eacac42cf6a1c0c353e86974efd3cbd63514bd90aa64bdea44cfe82f37415afe40f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5da1a57ba68670f9f451620208d37554

SHA1
f885bad40caf9a4afa3852a1cbf4624848085b6c

SHA256
5b575434ad1bedabb00a98a6605a1fc4ddf1e1538dd7d5e68000bb8df8ddcf3c

SHA512
f0c67b23b7853cddbbcd189c883864938cd9071306af1414dee20ebfe8941ca485445e3a5bab1694a8081bff3848953db0c102220fe113ba3f12365a4a44e856

Download Submit
\Users\Admin\AppData\Local\Temp\eztim.exe

Filesize
505KB

MD5
2d8a2efd8ef373a93eb14d462b27d4c2

SHA1
2fafa15fe4d2bdda764cc394ce409d587e8ea874

SHA256
a9ac6efbd1e217c34e11a12da2f1c66e428ae79dc0d72167be0d9ea9153ba2c0

SHA512
e17a26201e2ed454c7565768eefb73309a5cf0527069e8b03d0fe153d12571edb70d77b0991b3fbd6d283c5a18a374e682ffafccc4a194d6ba495ca4e521eb61

Download Submit
\Users\Admin\AppData\Local\Temp\ziifx.exe

Filesize
218KB

MD5
15c185bb24d93d7a28cd1d957ba4fb62

SHA1
10ac106e261319f785a744ce5793fc23d0daa676

SHA256
63f56e0783566c349b02d68862e66706b413fb186f630eb1e9867fa0ae8bd147

SHA512
40a3ad675b623498cba41c8b3355132f82e85a15b1e004d3ddca0e6624b72999c49fb99ccd592c141f5df8611ff3ff4293250dc6c343d13e6cd0d30f46597429

Download Submit
memory/2648-8-0x00000000027F0000-0x0000000002876000-memory.dmp

Filesize
536KB

Download
memory/2648-18-0x0000000000C80000-0x0000000000D06000-memory.dmp

Filesize
536KB

Download
memory/2648-0-0x0000000000C80000-0x0000000000D06000-memory.dmp

Filesize
536KB

Download
memory/2764-29-0x0000000000BB0000-0x0000000000C6B000-memory.dmp

Filesize
748KB

Download
memory/2764-33-0x0000000000BB0000-0x0000000000C6B000-memory.dmp

Filesize
748KB

Download
memory/2764-34-0x0000000000BB0000-0x0000000000C6B000-memory.dmp

Filesize
748KB

Download
memory/2796-16-0x00000000001D0000-0x0000000000256000-memory.dmp

Filesize
536KB

Download
memory/2796-21-0x00000000001D0000-0x0000000000256000-memory.dmp

Filesize
536KB

Download
memory/2796-27-0x0000000002F90000-0x000000000304B000-memory.dmp

Filesize
748KB

Download
memory/2796-30-0x00000000001D0000-0x0000000000256000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing