urelas | 106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0

General

Target

106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe
Size

336KB
MD5

184521dc985f9347420decd07ebb3d1a
SHA1

a97891c7a46cc0cc8e88a8d60ef4c7b91044d136
SHA256

106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0
SHA512

0c5b90441faf0057e8016f6dc696acd7860eb0cf7884f110299cf7727a249588a5cf7bbb76c2633113521acc71956e449eb07cf8cc52f54eae5831d4537a9d93
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKv:vHW138/iXWlK885rKlGSekcj66ci3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1664	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	xoryj.exe
1876	okoqu.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe
2300	xoryj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okoqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoryj.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe
1876	okoqu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2300	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	28
PID 2900 wrote to memory of 2300	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	28
PID 2900 wrote to memory of 2300	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	28
PID 2900 wrote to memory of 2300	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	28
PID 2900 wrote to memory of 1664	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	29
PID 2900 wrote to memory of 1664	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	29
PID 2900 wrote to memory of 1664	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	29
PID 2900 wrote to memory of 1664	2900	106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe	29
PID 2300 wrote to memory of 1876	2300	xoryj.exe	33
PID 2300 wrote to memory of 1876	2300	xoryj.exe	33
PID 2300 wrote to memory of 1876	2300	xoryj.exe	33
PID 2300 wrote to memory of 1876	2300	xoryj.exe	33

C:\Users\Admin\AppData\Local\Temp\106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe
"C:\Users\Admin\AppData\Local\Temp\106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\xoryj.exe
  "C:\Users\Admin\AppData\Local\Temp\xoryj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\okoqu.exe
    "C:\Users\Admin\AppData\Local\Temp\okoqu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cf966dec08dde4c3034c5a706d158e3b

SHA1
c33b0e814351a9171961f81f518bff55e4d8869a

SHA256
017d9fabd48f983facaa2620c870ebe44f8d0ef5eb7dda609fd87825b4c68ca1

SHA512
1a559c741e53669a9459b3bef758016c4819f58dac75209caf81be1e9f86bd2be89b3d09e6529931d834821c994fe4503e229b3ec29b8d2e598e7ea4077101ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e2b14fc39f7b7a3ffda561df5f394458

SHA1
ffea5ccc9b8e2ef5d5679db5b51944b81e923945

SHA256
21760ade497e6d8b410c2184c0c7756c1289d5d00feb7cc0c9f3b56931fc48ef

SHA512
7483ecc5afdc992291c64a577f9dff4d0d1b1ed1bbf84ee54e786a70befe7721cfbb143dda4751de7ba000ebe63279ad8390024553d9c294796c0bc3a8b944d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoryj.exe

Filesize
336KB

MD5
dd7a22508dada6fc480bd524504ac1eb

SHA1
9d44bf3a74df871c49a4f07c5528a8fa7544c053

SHA256
40de561d34a5d75ac52764e267e77e89b549facde20a9d68b2a7e251dfbdc37b

SHA512
9d30da3fc08729e2618c05d8fe01cba1848a08bebd350caac787183f437666f8dafa669f3b3ae82f00574caa8f8e3f986cd7884a688852716f4883b7d6a0ed7c

Download Submit
\Users\Admin\AppData\Local\Temp\okoqu.exe

Filesize
172KB

MD5
2da585e9b11ba5f76729e67a8c7b5f4b

SHA1
ca04698045ab0e98249f85a59b0758d94f228b33

SHA256
41e918dd1c1bc55adcaeda964252090a2fe02fed77ef0ae5634194d51db26fef

SHA512
31a16ca97cde29e0f3ee68490ec329aad1ba272b82741139b3d16055b80a2a601714d9403b8b01e81aa81ede96b42d87c7ded4ef69bc2a990829f595830340df

Download Submit
memory/1876-48-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/1876-47-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/1876-42-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/1876-43-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/2300-24-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/2300-20-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/2300-36-0x0000000003600000-0x0000000003699000-memory.dmp

Filesize
612KB

Download
memory/2300-41-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/2300-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2900-17-0x00000000027C0000-0x0000000002841000-memory.dmp

Filesize
516KB

Download
memory/2900-19-0x00000000009A0000-0x0000000000A21000-memory.dmp

Filesize
516KB

Download
memory/2900-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2900-0-0x00000000009A0000-0x0000000000A21000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing