urelas | 2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953

General

Target

2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe
Size

336KB
MD5

ff1817b08ea77c8c294fbf1049f790dc
SHA1

f21658cb7f42b850e1fc3e93e439748906c79d43
SHA256

2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953
SHA512

adad32955a742b788b893237531065dc1ed9b7d74d2e0579f69c6d06910e630d5b161b3728db2d6cdd8d5ec306ca5a713f1d0c1104f5699062b4f5e6529271ef
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcV8:vHW138/iXWlK885rKlGSekcj66cit

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	puadg.exe
836	biuje.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe
2716	puadg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biuje.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe
836	biuje.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2716	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	31
PID 2172 wrote to memory of 2716	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	31
PID 2172 wrote to memory of 2716	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	31
PID 2172 wrote to memory of 2716	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	31
PID 2172 wrote to memory of 2704	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	32
PID 2172 wrote to memory of 2704	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	32
PID 2172 wrote to memory of 2704	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	32
PID 2172 wrote to memory of 2704	2172	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	32
PID 2716 wrote to memory of 836	2716	puadg.exe	34
PID 2716 wrote to memory of 836	2716	puadg.exe	34
PID 2716 wrote to memory of 836	2716	puadg.exe	34
PID 2716 wrote to memory of 836	2716	puadg.exe	34

C:\Users\Admin\AppData\Local\Temp\2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe
"C:\Users\Admin\AppData\Local\Temp\2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\puadg.exe
  "C:\Users\Admin\AppData\Local\Temp\puadg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\biuje.exe
    "C:\Users\Admin\AppData\Local\Temp\biuje.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d9b0232951891b7faff98f26ba025c57

SHA1
10aa402f65ddac3a5009f7c6c55184fd1d3a0a5e

SHA256
592d5682515939e91049f2256fbc892e93543a64c19207ebbb6cf2f774c69cd5

SHA512
06696c7cc6480da54672b6d9a97d432f73a1dce7a062ba54a5c3f54ced7c743447ee8aeaaa825b97cdba771bc3216f469afd50bcaef1415f2543860fa48efea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
276f50d8efe8a807d4a4812c0c1f055c

SHA1
6caee72bca4cecaf2e29f5574a58935652b7c2af

SHA256
3ba67f92f349202778d2b4f5d2b61dc5f3ab37d76e7c3a57f1ed58ed30a9c0e4

SHA512
365109d361e98d2ac59706ef5903905e65aa00249581a6eca1b669a38f53ba2e585acd4d5f9069a80ef91841e06063eb7527544c349305747f690bdb5dad8bc8

Download Submit
\Users\Admin\AppData\Local\Temp\biuje.exe

Filesize
172KB

MD5
949ca45d94899e844879c588773f5e7f

SHA1
92f1581f587d93c7075add3d7e518dc2a6f7391d

SHA256
794fe5464b42b246b57c31f00b70a555ee3f8086317bb036aad1349d08f32cd0

SHA512
66db454621281f9dbd37e5966fa411839609f376a1bc1afef1d1718a18d12a03347eb8e6974e603dc1a33d97dc807882c6fdf64bb0dd4b0d9d8bae0523356ac5

Download Submit
\Users\Admin\AppData\Local\Temp\puadg.exe

Filesize
336KB

MD5
16f3398e811bf410a3b3458caa5f9b63

SHA1
4bb1eed6bef32594daeaf899e402f2c70e5a721a

SHA256
fe1b7b80c0a4e4266f2732752f406bc42569d8a939602f1b1af44fa2e3a52fc1

SHA512
0666e4a024513305fff3b539a695efc0d392c1ec45350471ae7f10cf2514cc11a5bf4b5d024c6f462793187d94078d418aad52ee3f609fb6d6bfa5c5db13660d

Download Submit
memory/836-44-0x00000000013C0000-0x0000000001459000-memory.dmp

Filesize
612KB

Download
memory/836-49-0x00000000013C0000-0x0000000001459000-memory.dmp

Filesize
612KB

Download
memory/836-48-0x00000000013C0000-0x0000000001459000-memory.dmp

Filesize
612KB

Download
memory/836-43-0x00000000013C0000-0x0000000001459000-memory.dmp

Filesize
612KB

Download
memory/2172-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2172-9-0x0000000002510000-0x0000000002591000-memory.dmp

Filesize
516KB

Download
memory/2172-21-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/2172-0-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/2716-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2716-24-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/2716-42-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/2716-38-0x0000000003620000-0x00000000036B9000-memory.dmp

Filesize
612KB

Download
memory/2716-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2716-11-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing