urelas | cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605

General

Target

cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
Size

336KB
MD5

785a5215521aebe5a451ea71a9b08584
SHA1

f84373aea04589873857b5ea2023d9e95f9c32a0
SHA256

cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605
SHA512

752d5fa610fa49e6c13596a61295cb0beeefffc593ce5369719be9255f9d4a70896bfc10e6b244df526ab68b5d8ed4e1bc15dbcbb610ec0bf8f663a58ebf76a7
SSDEEP

6144:GLtOexihqv4m+lXD6betiTuBMTWjIDIiUBAkW9UOKMOtzWO8CatspddODi9w:GL1D+IatauBML42MykRa6p6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2656 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

lopuf.exekyzoyp.exekowah.exe

pid process

1244 lopuf.exe
2768 kyzoyp.exe
1440 kowah.exe
Loads dropped DLL 3 IoCs

Processes:

cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exelopuf.exekyzoyp.exe

pid process

2476 cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
1244 lopuf.exe
2768 kyzoyp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2656	cmd.exe

pid	process
1244	lopuf.exe
2768	kyzoyp.exe
1440	kowah.exe

pid	process
2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
1244	lopuf.exe
2768	kyzoyp.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exelopuf.execmd.exekyzoyp.exekowah.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lopuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyzoyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kowah.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

kowah.exe

pid	process
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe
1440	kowah.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exelopuf.exekyzoyp.exe

description	pid	process	target process
PID 2476 wrote to memory of 1244	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	lopuf.exe
PID 2476 wrote to memory of 1244	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	lopuf.exe
PID 2476 wrote to memory of 1244	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	lopuf.exe
PID 2476 wrote to memory of 1244	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	lopuf.exe
PID 2476 wrote to memory of 2656	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	cmd.exe
PID 2476 wrote to memory of 2656	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	cmd.exe
PID 2476 wrote to memory of 2656	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	cmd.exe
PID 2476 wrote to memory of 2656	2476	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	cmd.exe
PID 1244 wrote to memory of 2768	1244	lopuf.exe	kyzoyp.exe
PID 1244 wrote to memory of 2768	1244	lopuf.exe	kyzoyp.exe
PID 1244 wrote to memory of 2768	1244	lopuf.exe	kyzoyp.exe
PID 1244 wrote to memory of 2768	1244	lopuf.exe	kyzoyp.exe
PID 2768 wrote to memory of 1440	2768	kyzoyp.exe	kowah.exe
PID 2768 wrote to memory of 1440	2768	kyzoyp.exe	kowah.exe
PID 2768 wrote to memory of 1440	2768	kyzoyp.exe	kowah.exe
PID 2768 wrote to memory of 1440	2768	kyzoyp.exe	kowah.exe
PID 2768 wrote to memory of 580	2768	kyzoyp.exe	cmd.exe
PID 2768 wrote to memory of 580	2768	kyzoyp.exe	cmd.exe
PID 2768 wrote to memory of 580	2768	kyzoyp.exe	cmd.exe
PID 2768 wrote to memory of 580	2768	kyzoyp.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
"C:\Users\Admin\AppData\Local\Temp\cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\lopuf.exe
"C:\Users\Admin\AppData\Local\Temp\lopuf.exe" hi
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\kyzoyp.exe
"C:\Users\Admin\AppData\Local\Temp\kyzoyp.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\kowah.exe
"C:\Users\Admin\AppData\Local\Temp\kowah.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
- System Location Discovery: System Language Discovery
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d7581919afe46a28bbcdc6e987968c0c

SHA1
29bbf6af4f4d8913d9da46dfacbd578921272cc4

SHA256
70d70c1b1d4d778430c904fdff9f6c9301126c8d9482c5c4aa777fc9b4771df5

SHA512
348105ab8f6aa2d9c95ece270574de4d57fd845991d045daf7c4c0682f220a79210ab9d127beb24cb4059310b6e3af8a4d99f0a606c913a5cac859eef533969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
86fab808c9548cbc89fa815e40a61d9b

SHA1
7d6db509f34630a7211a1933de0ea2519c7c158f

SHA256
4b82492e2697c09fc5e27cf91949b3ff143ccd9ddec8140cc839c0e7d2651fa6

SHA512
e3a54a39d6abaaf4c79cb2432c3ed0d53ba758fcde46bfa604a6f8699df0212a9e017ea01717388d499c67ef5c51450caa595eb1f011fedf21c0762c8aee508b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e339f6eff994900762a60e9c1df08abf

SHA1
0ee8f24e1f51b5b051648b2b624016b64bdb5d12

SHA256
89747640144d1bc3a02da008368b349d419c38cf1afd273119a44b1ba17e7860

SHA512
423d8f124866cb5a5e9d279981cf31e219cc29cfe32dfc1ec9b2c1eb899b076f9e5faeb258bf05c03ac519aad220fc5113d5dbe7b8c3506534569759bdfeead5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyzoyp.exe

Filesize
337KB

MD5
0caa36b806ae8eaae6d77b069ce368ab

SHA1
95fba26068a01c7a13e76a49c858bc0a7f0d567f

SHA256
567963bcd8a5d065384ff27ff8899989086d8d829900e6433f10a662405b0971

SHA512
6cbf9e076f4cced219f9565a789f368f13630ea963b52519ccc7947b52e7680755be13db97372920aad93c29253f26343265308d41b2ee77ffe48a99113a0245

Download Submit
\Users\Admin\AppData\Local\Temp\kowah.exe

Filesize
223KB

MD5
350afff364b2a6fc67e254c895b4f285

SHA1
11aa4835332c74549cb6220b4e337c694e36f2f3

SHA256
0de4495dc353f8cebcc6155a4a888197ba4d3c0781e28830c6b400a373b09d05

SHA512
7d21bda5bd249e72e60d4679eef9a56111bce8264fab52a8167cf3793f8b86bedf4231b6ce9b834be6000ff54e51d07c71ace248e57156e708986c164361ef76

Download Submit
\Users\Admin\AppData\Local\Temp\lopuf.exe

Filesize
336KB

MD5
da500b3bed7b7c038f5d6d67463d8ff1

SHA1
f48997c54c1aee52ea6fc8aaf5d0bf6c6cd25f1e

SHA256
4cf76adc8daaa458ec93849b0dce03a3bd386f42de7f4080b64c97dd9d606ea1

SHA512
10d3d236fd733a3ec8d2b83527ed575abfdf83e1c17ceed54f50afb306984fdecb66117df1fb148b297556a8fbd275c766a07f4d5631ddce54fa115187684267

Download Submit
memory/1244-10-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1244-28-0x0000000002F40000-0x0000000002FAE000-memory.dmp

Filesize
440KB

Download
memory/1244-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1440-63-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/1440-66-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/1440-65-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/1440-64-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/1440-50-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/1440-67-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/2476-22-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2476-3-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2476-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2768-60-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2768-47-0x0000000002D50000-0x0000000002DF0000-memory.dmp

Filesize
640KB

Download
memory/2768-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2768-32-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads