urelas | 9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199

General

Target

9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe
Size

78KB
MD5

e4ec962e39ab93eb8986a7052b6769ad
SHA1

1c9486fb619b56e64f9641ab41e4633851d6c398
SHA256

9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199
SHA512

2570d1e3d577f5a7e0ae2552c65d1e731a462cb8ef99823758ef23ac9d859da2a493e0316d91aa563eaab8d7175dce21d849a6c8e28c5679c2b939050af8df41
SSDEEP

1536:Zfhb7GkpDbdVIoCyWW9T9oNpiS0o3SKZREpKn:PPNdbdOopN5YpiK7n

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	Aisder.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aisder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3068	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	30
PID 2040 wrote to memory of 3068	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	30
PID 2040 wrote to memory of 3068	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	30
PID 2040 wrote to memory of 3068	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	30
PID 2040 wrote to memory of 1656	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	31
PID 2040 wrote to memory of 1656	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	31
PID 2040 wrote to memory of 1656	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	31
PID 2040 wrote to memory of 1656	2040	9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe	31

C:\Users\Admin\AppData\Local\Temp\9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe
"C:\Users\Admin\AppData\Local\Temp\9e99c8754d40a65b0b5f6c0691209dc8eb10de70614ae6b043624eed52260199.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\Aisder.exe
  "C:\Users\Admin\AppData\Local\Temp\Aisder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8505d593f1deae83971df678092607b9

SHA1
aa4b75b4893a8751a57055ec7523b173a63c4e94

SHA256
8401a9f1b2d296088ae824e9b36ce828f3eaef53ee2e6d9e40319eec64f1ca99

SHA512
01f6e17fc186d8245a931f2e3c40464a52717d625ab5dde34bca99ced0bdf9900fbffc3e78ff39da5ffd67b0b73c069a5c02ea1e6d72dc499b68e95f6fb40d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
64846677dc3bb595ca728ab2ebf170a0

SHA1
47a38887363508fe1b5b7094ff9e0c96faf81f99

SHA256
67649a1f3aae13073ba195e1562226f3a99ab100673fd3e9924d1a4bdadd5a11

SHA512
654a5c15ffde008a1f1da9ba1411d7b5cbc34acb9056b5800f3f268372b6af4b2ef2d71b70fb986adf5bb7cd87eb31bf2f2e24ea7ae70f6f63424ee83d8e93d9

Download Submit
\Users\Admin\AppData\Local\Temp\Aisder.exe

Filesize
78KB

MD5
a2fbfa603e3eb440ee293c0163ef2d65

SHA1
44c92cdedb58ce34fd284909ca85ae70f1e7adf2

SHA256
35ba52ab62050b08952b229c570e012c5da328c788585f15936737e68fb306ea

SHA512
ff71a99dd35d0f5a45f10a9436ae9e9253d79a2ca9c95b057a8f9b71e7d666b7826663ea372a5a8d9afc223a89ab723249e7dce00109fa8bb2a0806a5f6f6d71

Download Submit
memory/2040-0-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2040-8-0x00000000023F0000-0x000000000241F000-memory.dmp

Filesize
188KB

Download
memory/2040-18-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/3068-16-0x0000000000C30000-0x0000000000C5F000-memory.dmp

Filesize
188KB

Download
memory/3068-21-0x0000000000C30000-0x0000000000C5F000-memory.dmp

Filesize
188KB

Download
memory/3068-28-0x0000000000C30000-0x0000000000C5F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing