urelas | b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815

General

Target

b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
Size

338KB
MD5

2b943ee14b3fcd4d5986b1e10de923c0
SHA1

126da8396b67a6576c88678d9c71bbdc860eeee6
SHA256

b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815
SHA512

f0040014214a389814da9e895e1d333be6e294edbd143e2bef4db7c6c89ffb35c305dd4db849a0ce726d2e7d5974035dfa4d20434b1257f08fc6761866e326c1
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKogA:vHW138/iXWlK885rKlGSekcj66cis

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	nuzim.exe
2672	pewai.exe

Loads dropped DLL 2 IoCs

pid	Process
1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
3052	nuzim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuzim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pewai.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe
2672	pewai.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 3052	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	30
PID 1308 wrote to memory of 3052	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	30
PID 1308 wrote to memory of 3052	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	30
PID 1308 wrote to memory of 3052	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	30
PID 1308 wrote to memory of 2528	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	31
PID 1308 wrote to memory of 2528	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	31
PID 1308 wrote to memory of 2528	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	31
PID 1308 wrote to memory of 2528	1308	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	31
PID 3052 wrote to memory of 2672	3052	nuzim.exe	34
PID 3052 wrote to memory of 2672	3052	nuzim.exe	34
PID 3052 wrote to memory of 2672	3052	nuzim.exe	34
PID 3052 wrote to memory of 2672	3052	nuzim.exe	34

C:\Users\Admin\AppData\Local\Temp\b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
"C:\Users\Admin\AppData\Local\Temp\b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\nuzim.exe
  "C:\Users\Admin\AppData\Local\Temp\nuzim.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\pewai.exe
    "C:\Users\Admin\AppData\Local\Temp\pewai.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
65abadae7463d90004aa7d5b0c2ae35a

SHA1
a4a95bd5e8c540bb83546286f31451a59ab2d77c

SHA256
0744cd2dd7d7a3a618b247817032cd9505f545cdedb59b35488e687be947fcd9

SHA512
6c35c023b335618fe7d112bfa2b46197317767bfb87ab34d66e05a5c123c440011ce6dc6e1973bfca0302418255366f12560214b42c8904782bf4fb334fd276c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9eb2296af05edd450bd81f6397196602

SHA1
7ae1222b58a8e66c11b6446c96fbed6fda4817da

SHA256
0e612cf8a452006dfae83c96edae01133150643064abb4d57a0fd21d8b958cc3

SHA512
10eae88c723283225ec7615c2aad02a2ac7a9123a174df4e6d5ab5276b4c2a962456107017400a42f2d0091cbf0c7b9d1ae55a32b4cf0a30c2c693077c57ad7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuzim.exe

Filesize
338KB

MD5
26e645972c3564599c1f7dfe96565806

SHA1
affb6198759ee55225dc30cb3cb2a576dc490d2f

SHA256
e085f44738b4e3f611e39a3613b3b45a5615ccf7aef9761262a4a83a82829ff9

SHA512
a72c912f1a1b240379f5f58a3b3e80a325745ded0d95681f0e296d61fb6bbb06d207ba1c4282ca30bb49dbc404f4719709c2bb761e9e71cf0fea481ff1b40655

Download Submit
\Users\Admin\AppData\Local\Temp\nuzim.exe

Filesize
338KB

MD5
e836e7359215b08e75a31bfa74d3bb72

SHA1
809a05221c45db92323431ba1d90fc6d79e1dced

SHA256
441d92940ba45326e6058128403d14478332241dd829954f7b790461e01d25b0

SHA512
484d3eb51b93a53485cc45bcbc9c2a3dd83d5b18e6e17619b2ed32c1704dbc5d854bdd3f659d40a1ce0f1da69b3db290a87c153ca0f14c9957326e5de58ff833

Download Submit
\Users\Admin\AppData\Local\Temp\pewai.exe

Filesize
172KB

MD5
467ba3053a2c5b5174801e18265b353e

SHA1
0ddefce027976cfab129b9f32fe0f26865dcebee

SHA256
813694662706f7c9647148937cc8daf2b8ec60c286400841d3269ccfef04536d

SHA512
d7a75a68fea4f92cdadec5eb6a363e9c87bf83186cef16b7365f2b46e1c5589767d9defc2154f51db110caad65420567d4648adeeb719b5524692d0f06cf455b

Download Submit
memory/1308-16-0x00000000024A0000-0x0000000002521000-memory.dmp

Filesize
516KB

Download
memory/1308-0-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1308-19-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1308-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2672-41-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/2672-50-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/2672-49-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/2672-44-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/3052-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-38-0x0000000002080000-0x0000000002119000-memory.dmp

Filesize
612KB

Download
memory/3052-43-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/3052-25-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/3052-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-21-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing