urelas | 94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514

General

Target

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Size

336KB
MD5

19b406150aae970923a4e9bc42c66055
SHA1

4e9391aa9520c698034cca8a91327ddd600e5a33
SHA256

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514
SHA512

f21ac5c482a4089248f113e3048b71c977764a53c2d962ccb4dc81475be4533d32bf496d776f5a9bc806281db5a6db5bb66e045a54047ad550d2cb81553bd1c6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoH:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2112	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	upkuq.exe
2988	izxem.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
2116	upkuq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upkuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izxem.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe
2988	izxem.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2116	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 1972 wrote to memory of 2116	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 1972 wrote to memory of 2116	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 1972 wrote to memory of 2116	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 1972 wrote to memory of 2112	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 1972 wrote to memory of 2112	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 1972 wrote to memory of 2112	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 1972 wrote to memory of 2112	1972	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 2116 wrote to memory of 2988	2116	upkuq.exe	34
PID 2116 wrote to memory of 2988	2116	upkuq.exe	34
PID 2116 wrote to memory of 2988	2116	upkuq.exe	34
PID 2116 wrote to memory of 2988	2116	upkuq.exe	34

C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
"C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\upkuq.exe
  "C:\Users\Admin\AppData\Local\Temp\upkuq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\izxem.exe
    "C:\Users\Admin\AppData\Local\Temp\izxem.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a50f54bc29a7cdfb931e2bf8607a518e

SHA1
8b117c06e00f4d79b128f8367d6900d999e971cc

SHA256
84cae3b8371c6af45250f3a8eef7cba289acc45afc0c810acbaf4efabf9b48df

SHA512
be6afa81df2fc657bc6fa3978a6784fe16f3e6393b264b34164eff8f77794a0e34bf894e38dec5cc1c22138d65099053c0848839d87d46c4d4701b363c1fd322

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b26251b9e545006071dc83ea11a286ff

SHA1
b1da4b99edbe0358defcaa45d61baf63443edf0f

SHA256
cadd949c35144e59b0145912aec550ef07e9506f68e4c670e2e99d4d8ce489e9

SHA512
5bf28b5ad4acc393bad76ef5249e596cc59fdc031c79c5401c7d3b142b3ddb22e42fac97961418165aa59117631068a3b080fc594993bf545c9acedead8f1f2d

Download Submit
\Users\Admin\AppData\Local\Temp\izxem.exe

Filesize
172KB

MD5
14afdf0e103b11842a681bdb6cc60407

SHA1
99839ca42309c25be01c90c637499cd70866bddc

SHA256
28632435447dedc1e8f32b44daa18eb01f5260ed93760ad9c2daf7b9eea6e82e

SHA512
e8f43a4256522a16aef131b29d8c35e66fa09a6e2a966d80c6e473e1da7b1e23b30c1ff0d09ab9a208d67e987bbfa9e4a7f24a6ee9b716d08c67d3afc6cfbca5

Download Submit
\Users\Admin\AppData\Local\Temp\upkuq.exe

Filesize
336KB

MD5
497e2f804e5e3954afcf55b72d2ae501

SHA1
8fd357121ecb9055c7f932358355356d07a11021

SHA256
6688a6cabeab83446ae4857154bf5ad37acce8edebae6c42c9b38a6e3f9a0778

SHA512
6d8e5313274dd817b1ae086c74610d682cd3fcebe4174401b1aa263a37d8e61de32d2d69377b6dfc36e8a7cbcaed4c85bb1e4e3043d0236a637fd2aee62a763f

Download Submit
memory/1972-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1972-0-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/1972-20-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2116-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2116-10-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2116-23-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2116-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2116-40-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2116-38-0x00000000036F0000-0x0000000003789000-memory.dmp

Filesize
612KB

Download
memory/2988-42-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/2988-43-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/2988-47-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/2988-48-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing