urelas | bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904

General

Target

bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe
Size

337KB
MD5

5ce7a119af90e0558ac742b7ff225c75
SHA1

25c01e283782c843a1600e626960d968aead0a70
SHA256

bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904
SHA512

5da612dbe40bbb694ea1831a885dc7ad5a21f2f0ffa60b5bf0b026ed9db66eb8f0dac22a0c5c0a9a0ee0e39759bccdd66b8d925282f94c259564f4c29c5d1874
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcV7:vHW138/iXWlK885rKlGSekcj66ciw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2064	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
560	diwyr.exe
816	uhzyl.exe

Loads dropped DLL 2 IoCs

pid	Process
320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe
560	diwyr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diwyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhzyl.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe
816	uhzyl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 560	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	31
PID 320 wrote to memory of 560	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	31
PID 320 wrote to memory of 560	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	31
PID 320 wrote to memory of 560	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	31
PID 320 wrote to memory of 2064	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	32
PID 320 wrote to memory of 2064	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	32
PID 320 wrote to memory of 2064	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	32
PID 320 wrote to memory of 2064	320	bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe	32
PID 560 wrote to memory of 816	560	diwyr.exe	35
PID 560 wrote to memory of 816	560	diwyr.exe	35
PID 560 wrote to memory of 816	560	diwyr.exe	35
PID 560 wrote to memory of 816	560	diwyr.exe	35

C:\Users\Admin\AppData\Local\Temp\bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe
"C:\Users\Admin\AppData\Local\Temp\bca240552a66cb7cc3f33b2b866746372ce9d41ad3cc69fc963d39ed0a308904.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\diwyr.exe
  "C:\Users\Admin\AppData\Local\Temp\diwyr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\uhzyl.exe
    "C:\Users\Admin\AppData\Local\Temp\uhzyl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6880b3379b9d40192e5012b8c8cb3222

SHA1
e357f42e373ae361fae6047eb190e3c9890a94a9

SHA256
3c691ecfa121e010e049f3d10dcc1c8451a92200ecf7ff6fc86160ea8dfc944e

SHA512
8b6cb9c7d6db9ffb4bd7fd7aa58aab5778cca5e2641b7aa362ece5b32575a9cd2d4dd7859e4251f9ecf6c6c861aa7b3d8c1877babcde20db9c05f2afa68855ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e600064149a6081911c637d62fd20a9c

SHA1
5a9bf08c5391cf7fd4a1b97d2dab70015a821261

SHA256
2b1a0323c657b55bd2f290d54d9fd3a1d18c7a9140f4fe217a844ef45a924846

SHA512
82e209aabe40533e7c3e0ec84ea14f2df9fac2e367a6f772c8aeb8ca23ee2b6fcd9d3469e01106e6367344a338e9f3fac66b86d23047a230c525b1d83f83edff

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhzyl.exe

Filesize
172KB

MD5
165f1ff137ab1ca578d75266dd0c1283

SHA1
77f74e14a9668401c6634bf7848e3607519067bf

SHA256
dcff42bb030cd19d20068574fb9a12ad26593922172260b05b2ec8be716dd5bc

SHA512
c144f79a5d41d721dc4af5079ab86d44a3dc7e0a03f1521054cbabe9f09e5a451055c126f7ceb6caf5d745b756e6b5fa5aee117a78e56825fcf11709d3cc86d3

Download Submit
\Users\Admin\AppData\Local\Temp\diwyr.exe

Filesize
337KB

MD5
f27515487559bc0766548f2ae6ddd9bf

SHA1
7c2d9f3b5b053a15cf56958857d101b06d011b29

SHA256
27b2ac8106f908b8c880890f872b8f6513dc9f1e233471e813ce586aeb6e513f

SHA512
c33c5fdece6a092a1c993e200b57ddc3e0b05bd3515f400cd38273299bd3f64d44e16455410f0b55e496f4a6e3b061f20f6e3532948200c1b5b62e30753e4744

Download Submit
memory/320-0-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/320-9-0x0000000002780000-0x0000000002801000-memory.dmp

Filesize
516KB

Download
memory/320-21-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/320-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/560-12-0x00000000010D0000-0x0000000001151000-memory.dmp

Filesize
516KB

Download
memory/560-24-0x00000000010D0000-0x0000000001151000-memory.dmp

Filesize
516KB

Download
memory/560-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/560-39-0x00000000010D0000-0x0000000001151000-memory.dmp

Filesize
516KB

Download
memory/816-44-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download
memory/816-41-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download
memory/816-46-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download
memory/816-47-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing