urelas | 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09

General

Target

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Size

438KB
MD5

b40e208afec48c1c8d1e41e87d015453
SHA1

56fedd2c3fa4b49bd550ef362180e8d7a26b334f
SHA256

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09
SHA512

f104219b752306fe690607f2d123dd2d1604d6b36257eaebe58696bbd2beb2454b32b20c7779ce2a24af083ec2cc1744fe3e53323448430e39d88be9ffed0316
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMM2:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2060	rocie.exe
2812	jyygn.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
2060	rocie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyygn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rocie.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe
2812	jyygn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2060	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	30
PID 1968 wrote to memory of 2060	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	30
PID 1968 wrote to memory of 2060	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	30
PID 1968 wrote to memory of 2060	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	30
PID 1968 wrote to memory of 2476	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 1968 wrote to memory of 2476	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 1968 wrote to memory of 2476	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 1968 wrote to memory of 2476	1968	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	31
PID 2060 wrote to memory of 2812	2060	rocie.exe	34
PID 2060 wrote to memory of 2812	2060	rocie.exe	34
PID 2060 wrote to memory of 2812	2060	rocie.exe	34
PID 2060 wrote to memory of 2812	2060	rocie.exe	34

C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
"C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\rocie.exe
  "C:\Users\Admin\AppData\Local\Temp\rocie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\jyygn.exe
    "C:\Users\Admin\AppData\Local\Temp\jyygn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
18cf1d671fe761828e90f702d62429ba

SHA1
e2bde96e97376e360e63107ca7c97bae293545ca

SHA256
a84a755ffdbdaa156ddb7f8143e74d3f64e00de1c01cd0382c38a9b6eae0ad77

SHA512
42a26336d3c0c1184ad03c2987e18f331205a5df82babfbe4d13fa198066ca4bc8ee26543e3963878cb95a59191d8c477a3a975e0c8ea0cb2b31b24fa1202282

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3c9f15d92f3d9e31ef1517fee868af69

SHA1
23d859f45a2a4bb6cc1b7c533a54c1859172ca6e

SHA256
a91485099729cfbbaf0f5b0028fa7c52124f55612034e950f93ffb59d052e501

SHA512
493bb264a61071f683024da8cee9ff723d8c1372e38a10bfea4e6d3ecd5ec5b8d8e6663a419b11d54eabb8f47286320c76c21c0f8ec27cae3f4a375a0fa74c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\rocie.exe

Filesize
438KB

MD5
29eb38e71f6b13458a909d5be8fb2ba9

SHA1
e503238c20c60fdb0d366e8faa8edf0bc84b2cc8

SHA256
656bc34faaa24c7dbf00da0a990de68fa11b8c072c9f8e7662edd30d6ff97a80

SHA512
563fbef1a8aa6f332943fa434e42f6c3aa08ebd738542364ac2ae042aa257b147c195dd4dec7bf294632a707d9e5a7ee9ff2539e6e9cfb4897b497f0ce008fea

Download Submit
\Users\Admin\AppData\Local\Temp\jyygn.exe

Filesize
230KB

MD5
5deeb7a27501934bbee88b74b8beb7ca

SHA1
e3a51dcc686b42df665cff8ca997dc48a96d12f6

SHA256
3340175f5c3a87810f28300c03bc380ecfc977caf7a08db37c62e970fee96cb7

SHA512
cb08d30f9c99b91923bfd9dc0eb95c2a22ca5329fbd0ae23ca639d31b4ce1a3fd69c596c55a1920e1997a2f8db303ba0710951f7af0f4836fb407d40cce7f01f

Download Submit
\Users\Admin\AppData\Local\Temp\rocie.exe

Filesize
438KB

MD5
7f5e39479ec3b6df9227e6a281c8667e

SHA1
c17ab5c8d4605c1214aa248d96d1a5e29447cf29

SHA256
dd92e238876d2907a0326b1f66f01ccd285eb6d5b8f6ff7756309ef201bbe6bd

SHA512
7f89fe8dffa51de110ff484cf93ca65be3ef04bd38a78fc53c5c95966310694dbcb577145f4421a85183667ece3bc72ce2b4ddb3e1e0f185e299230090f28331

Download Submit
memory/1968-18-0x0000000000C10000-0x0000000000C7E000-memory.dmp

Filesize
440KB

Download
memory/1968-0-0x0000000000C10000-0x0000000000C7E000-memory.dmp

Filesize
440KB

Download
memory/1968-6-0x0000000000BA0000-0x0000000000C0E000-memory.dmp

Filesize
440KB

Download
memory/2060-17-0x0000000000C30000-0x0000000000C9E000-memory.dmp

Filesize
440KB

Download
memory/2060-21-0x0000000000C30000-0x0000000000C9E000-memory.dmp

Filesize
440KB

Download
memory/2060-27-0x0000000003CB0000-0x0000000003D4E000-memory.dmp

Filesize
632KB

Download
memory/2060-29-0x0000000000C30000-0x0000000000C9E000-memory.dmp

Filesize
440KB

Download
memory/2812-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2812-30-0x0000000000D50000-0x0000000000DEE000-memory.dmp

Filesize
632KB

Download
memory/2812-35-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2812-34-0x0000000000D50000-0x0000000000DEE000-memory.dmp

Filesize
632KB

Download
memory/2812-36-0x0000000000D50000-0x0000000000DEE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing