urelas | cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2

General

Target

cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe
Size

336KB
MD5

900e3c4800edb1517eb5ab6b4d66ae20
SHA1

ab87969f9b60e8247657d83e4a961206cac9ca5f
SHA256

cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2
SHA512

74989e01fd82f76b31e040757227a73c671f14abeb6317505d65ab84e9d45afc07bfa4d1079f174b31f9f5b66fa712371d20a6376c7a2d9718dc73fddb0078c0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKD:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
988	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	quvig.exe
2532	bygul.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe
3056	quvig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quvig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bygul.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe
2532	bygul.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 3056	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	30
PID 2076 wrote to memory of 3056	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	30
PID 2076 wrote to memory of 3056	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	30
PID 2076 wrote to memory of 3056	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	30
PID 2076 wrote to memory of 988	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	31
PID 2076 wrote to memory of 988	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	31
PID 2076 wrote to memory of 988	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	31
PID 2076 wrote to memory of 988	2076	cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe	31
PID 3056 wrote to memory of 2532	3056	quvig.exe	34
PID 3056 wrote to memory of 2532	3056	quvig.exe	34
PID 3056 wrote to memory of 2532	3056	quvig.exe	34
PID 3056 wrote to memory of 2532	3056	quvig.exe	34

C:\Users\Admin\AppData\Local\Temp\cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe
"C:\Users\Admin\AppData\Local\Temp\cee1bc86eb71016a79efd8e4976214628ff7e37ede143c5c2be86dc4e7a79ee2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\quvig.exe
  "C:\Users\Admin\AppData\Local\Temp\quvig.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\bygul.exe
    "C:\Users\Admin\AppData\Local\Temp\bygul.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
84a4799d98db15962cdd4ec359000964

SHA1
fc7bcac9a429f946f852cb5d67d1dbd28efc4907

SHA256
1a31c4e4f549319670cad2056db93c0d7f20b5e8f0cedcf6330b3bc10f0ede59

SHA512
cbbd162e3a25886a94bceb1d18ad1b24bf9726e15f0ecfdf3564c4e6db1266dd3b98a348e0ff9f7ae4573eeb5ccc63941f6f5da161f8a8a977c680a29ddce504

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3c9f0d8030a16530bf4c75023c2db68c

SHA1
ee7069cf7a8fae0451c6bde0c2a2eab04ef4fcef

SHA256
a3a0f2ab02f67c4921a3fc15b6fa7a0dcb80e049f0871e45a32ab926faae6eac

SHA512
41606d8936c10d31bdf6450baeb25f9fd7dbaef6d9b7c12af9b89b4e0b57dbf3366299d999de07f7f4bbc5068a2defc94bf2567088829607da5c6acb743f076d

Download Submit
\Users\Admin\AppData\Local\Temp\bygul.exe

Filesize
172KB

MD5
bc53a48941680d66ea77b5c55de0b1f8

SHA1
60102be940b277f9e73c16ac229963e295b0dddd

SHA256
77ea923ab7e8861c9914c6766528e675f6c9c2d2ad8f1ac07d7cd44588d501b0

SHA512
73e6cccc398c016577eba420254423bd80776176edb79667f583a066c45c4879b71f91e11801a9079f6e622959dc208c4b5813e40dfaa2903a2a35c2b9dc132d

Download Submit
\Users\Admin\AppData\Local\Temp\quvig.exe

Filesize
336KB

MD5
3cc2c2b21c36df2f6421b795c6529f38

SHA1
b8cf4a6fb42fe470966228ce979ac5ea9b448dd4

SHA256
f75864e69398467f4949b41b1399b09d2534f36867f6bc622512b8b408398a1f

SHA512
db188f7531d33257a72db2a2191611b2680de16468c4e0f09f23917b57233b5e0fe8e390203050cfd3b4aeb750fa9dfb5c5b0576a0b6b1beb135415ff3490e01

Download Submit
memory/2076-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2076-9-0x00000000026F0000-0x0000000002771000-memory.dmp

Filesize
516KB

Download
memory/2076-0-0x00000000011F0000-0x0000000001271000-memory.dmp

Filesize
516KB

Download
memory/2076-21-0x00000000011F0000-0x0000000001271000-memory.dmp

Filesize
516KB

Download
memory/2532-43-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2532-49-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2532-48-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2532-44-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/3056-11-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/3056-42-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/3056-40-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3056-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3056-24-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/3056-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing