urelas | dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4

General

Target

dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
Size

337KB
MD5

2ce6c45531d66440c0c8d873ea9fee60
SHA1

d1807d51421c176e6b59c7e401ccbf10e488fa7e
SHA256

dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4
SHA512

583805c1320b19ca44ba4e496d3ba068a0dc7a412f96a270d4a80d7a33b49040b03d8ca3065bdc8649f166d686fc54c07aa8a4238cc1dccf78ecd5bbd2a05c54
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoa:vHW138/iXWlK885rKlGSekcj66ciP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
352	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	keruq.exe
2352	nodak.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
2336	keruq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keruq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nodak.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe
2352	nodak.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2336	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	30
PID 2392 wrote to memory of 2336	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	30
PID 2392 wrote to memory of 2336	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	30
PID 2392 wrote to memory of 2336	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	30
PID 2392 wrote to memory of 352	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	31
PID 2392 wrote to memory of 352	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	31
PID 2392 wrote to memory of 352	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	31
PID 2392 wrote to memory of 352	2392	dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe	31
PID 2336 wrote to memory of 2352	2336	keruq.exe	34
PID 2336 wrote to memory of 2352	2336	keruq.exe	34
PID 2336 wrote to memory of 2352	2336	keruq.exe	34
PID 2336 wrote to memory of 2352	2336	keruq.exe	34

C:\Users\Admin\AppData\Local\Temp\dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe
"C:\Users\Admin\AppData\Local\Temp\dc777e7ef05d8a6f162fdf5240cbc4e20d46fcb86632636e7c5f108be019e3b4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\keruq.exe
  "C:\Users\Admin\AppData\Local\Temp\keruq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\nodak.exe
    "C:\Users\Admin\AppData\Local\Temp\nodak.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
afa2643704a00f92eae795c03cd97c08

SHA1
8577ed73b7e16c5e9adc919b91d7904249548afa

SHA256
dbb261a200543e4a82ad4b487c626a6ed3f71f14d83af99079e1a047b6ad5e11

SHA512
0b490ce654b85303043a2e24e10814f70f172babc16cc0b2770c74e63e1068d0740700832629d4973da5cbce2d87d18cf42003744496bf2304049bdb9df6a06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
774e1f73329b1ef20404848cf1de403f

SHA1
ff328d3b0ef87c8764ac0082d98009ac81fc0091

SHA256
b9933efc0bff07e9efada91d56812f6bd0233d5df7fce6ba642c346636eb6d39

SHA512
07caf3656aa789813e35bd11cfcf64327154782d486cc8400186e3a16f28264c84eda86b63c24c7eaa0bae22541ece1e893cc4441d6c13ce074fa442bcf87d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\keruq.exe

Filesize
337KB

MD5
888a87a016d64656417ae148a235a893

SHA1
948977dbca34f6f291859d8f44e98c10f9ca6313

SHA256
a4c0667657b3a444fda23d44ebb788d465e025e6d0399b9a34cf8340142896ee

SHA512
3f6e41b9fdf73771c98b648c7b507a7b08ba33bf9ba585bf3fb069c8e96e64dbc551493787e42ed5a0bb006fc1acbbe5d15d5d36c45391bc7b1e3a1a4306774e

Download Submit
\Users\Admin\AppData\Local\Temp\nodak.exe

Filesize
172KB

MD5
88229393ab1e227d797c0bb356209bb4

SHA1
6ebf0c8c05b25f277991121bf37406d96b028d85

SHA256
85da2e603b01efd7bb789535485c4c5884ecc62139ab1c5e59d96dee7cc553c2

SHA512
72e879271268364a641bd37a5f1d243cdce0b361ff7d129212051a783abe249210b7af4a4a22180de8d7e67cb2d5f68b4458119682d595bdbe55390d2890a551

Download Submit
memory/2336-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2336-20-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/2336-24-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/2336-41-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/2336-37-0x0000000004020000-0x00000000040B9000-memory.dmp

Filesize
612KB

Download
memory/2352-42-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/2352-45-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/2352-47-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/2352-48-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/2392-19-0x0000000001F80000-0x0000000002001000-memory.dmp

Filesize
516KB

Download
memory/2392-18-0x00000000001B0000-0x0000000000231000-memory.dmp

Filesize
516KB

Download
memory/2392-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2392-0-0x00000000001B0000-0x0000000000231000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing