urelas | 9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf

General

Target

9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
Size

337KB
MD5

c1749cd7a60df883adf4d15377083478
SHA1

b89e18680af6018a480f4bb831a580be789711fd
SHA256

9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf
SHA512

3a29e2e822b263dd19fe1b2a10b25ffb75e0d4eb4c8e85d50e42ffed882b904a19266fe9d915a8cd62cdc9a42a61852e2426125e57db67951638824f4ceac33c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoa:vHW138/iXWlK885rKlGSekcj66civ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	leluh.exe
1728	xuxyd.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
3056	leluh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leluh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuxyd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe
1728	xuxyd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3056	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	30
PID 2100 wrote to memory of 3056	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	30
PID 2100 wrote to memory of 3056	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	30
PID 2100 wrote to memory of 3056	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	30
PID 2100 wrote to memory of 2520	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	31
PID 2100 wrote to memory of 2520	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	31
PID 2100 wrote to memory of 2520	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	31
PID 2100 wrote to memory of 2520	2100	9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe	31
PID 3056 wrote to memory of 1728	3056	leluh.exe	34
PID 3056 wrote to memory of 1728	3056	leluh.exe	34
PID 3056 wrote to memory of 1728	3056	leluh.exe	34
PID 3056 wrote to memory of 1728	3056	leluh.exe	34

C:\Users\Admin\AppData\Local\Temp\9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe
"C:\Users\Admin\AppData\Local\Temp\9cfa22a6022a17a247f9fa1fbdd50cd2347bee87d6a65d752eb2e883ad722abf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\leluh.exe
  "C:\Users\Admin\AppData\Local\Temp\leluh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\xuxyd.exe
    "C:\Users\Admin\AppData\Local\Temp\xuxyd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b6e4312b24e36024f9be4452c1849b6a

SHA1
13008ddd8f6a8f27c9b38a96c06017f4eef6d296

SHA256
f194a95ff2a879a8730113c1f2f3cf570dee5d609713e04e63e7089378fc99e7

SHA512
be9bf5b9a124b14cfd5f4959382f3ce33eb2a26e9c2a6f5546be252974018f8df277e0917e0291d92fb86b695378050cd00aecf4fba97b8739794682f5c863f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e0d254be48eb4bc05f96eb5ac79c1d87

SHA1
844151d653b9a185297af7693c40a051c425c062

SHA256
a2f8b89fe3acf514851fd15d2373ec7cadbf37268f731adf6d2967916cccc068

SHA512
273f0738229e70419fc1fff4617b7ae66bf82f7bd8a5cf6995d62fcd069bbd3fcc52c1a56083f830b31c6e1f10e5501ba74aaef0be01543a0f4f51e880685d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\leluh.exe

Filesize
337KB

MD5
871d5062ca70df9cd7f3aca181efd2a1

SHA1
40610ada5d5dadc003dbb7880eb7a15bb17ad49b

SHA256
cd4d80aeae2d289ce6e08a4dc5919fb02498d9bb11921e4056d8ef488666950a

SHA512
4e20f4905883caed06b711a02733484d9130644a787fca628067e798fe2b1a1fa5ba47e9cde57bf066b09ef1e7c434924497e9b2aadc530a1716b652733ae0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuxyd.exe

Filesize
172KB

MD5
64f5a63bfafc56470b355057865807c7

SHA1
0543a70d2d8379766a45c1a68bc81faa8a1792bc

SHA256
f5483491e17f2cf5a185eb52f7125c195ed43bce5c1f989e5783687fccb39650

SHA512
841ee54c0253493f93355770b8d463e37755024cd7f0d171fe14e696817510241e3edc5bbb079718c879312c37286112e4fefa52cf89f17094c77e94108eed86

Download Submit
\Users\Admin\AppData\Local\Temp\leluh.exe

Filesize
337KB

MD5
be896eabe4ff5ea51a7883c98e5c9894

SHA1
28a0774b58c15a03490258d70cdf37e30b7830c2

SHA256
9ba475d2e535a493d247d9c05fbbbea6167122cd5fa05dac0a624f1d582d30ee

SHA512
a6d32c499ef636405ba242aa771eadb1224eb244aa444bf5205a93b7215aae9832d9ab900d92492bf64eecd681258a334b4e7de0d95168a2f522e8c6da9d8c81

Download Submit
memory/1728-44-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/1728-50-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/1728-49-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/1728-43-0x0000000001160000-0x00000000011F9000-memory.dmp

Filesize
612KB

Download
memory/2100-21-0x0000000000FE0000-0x0000000001061000-memory.dmp

Filesize
516KB

Download
memory/2100-9-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download
memory/2100-0-0x0000000000FE0000-0x0000000001061000-memory.dmp

Filesize
516KB

Download
memory/2100-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3056-11-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/3056-42-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/3056-38-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/3056-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3056-24-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/3056-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing