urelas | 0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846

General

Target

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
Size

432KB
MD5

be542e225b5a041f7d228b4b6c4936e8
SHA1

8bf87c7d0767461084254004be228d4297bbeafb
SHA256

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846
SHA512

f9b612dc7fd67aeaedea9c500c2e05a5269642a8139c4aed5cc49db31f8cb3ee09ce99df2ff43a260747a1d031d45899a10be77db9bcd7f6c9ed5e5a903e82fa
SSDEEP

6144:L8efQ6QPJGcLbjg0CutsGH+revgLIAP1fXo1EZH:C6QPJGcE0SGereYdPc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2388 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

kyzep.exekiitg.exe

pid process

2912 kyzep.exe
868 kiitg.exe
Loads dropped DLL 2 IoCs

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exekyzep.exe

pid process

1460 0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
2912 kyzep.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2388	cmd.exe

pid	process
2912	kyzep.exe
868	kiitg.exe

pid	process
1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
2912	kyzep.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exekyzep.execmd.exekiitg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyzep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiitg.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

kiitg.exe

pid	process
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe
868	kiitg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exekyzep.exe

description	pid	process	target process
PID 1460 wrote to memory of 2912	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	kyzep.exe
PID 1460 wrote to memory of 2912	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	kyzep.exe
PID 1460 wrote to memory of 2912	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	kyzep.exe
PID 1460 wrote to memory of 2912	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	kyzep.exe
PID 1460 wrote to memory of 2388	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 1460 wrote to memory of 2388	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 1460 wrote to memory of 2388	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 1460 wrote to memory of 2388	1460	0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe	cmd.exe
PID 2912 wrote to memory of 868	2912	kyzep.exe	kiitg.exe
PID 2912 wrote to memory of 868	2912	kyzep.exe	kiitg.exe
PID 2912 wrote to memory of 868	2912	kyzep.exe	kiitg.exe
PID 2912 wrote to memory of 868	2912	kyzep.exe	kiitg.exe

C:\Users\Admin\AppData\Local\Temp\0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe
"C:\Users\Admin\AppData\Local\Temp\0c1386734a551f78ffc94ae1eef61ab942072615d39c6ed381e89dcec121b846.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\kyzep.exe
"C:\Users\Admin\AppData\Local\Temp\kyzep.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\kiitg.exe
"C:\Users\Admin\AppData\Local\Temp\kiitg.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fab84f4b298efa708e4661723fd8726f

SHA1
ad3b0a6a3230eed02a342c8675efb82617336d60

SHA256
d9a9705dd0eb69fedc7090940f6b689ea8a0817677f67630954ce3e29ac4d2e6

SHA512
6b54036c346688560e281087ee1707d33e8ec0818b52f7940ca309990dac845b0e84cbd2660a48a25fc98402ef956f6d2ce765503d9e5b474ff52a60abf01513

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
72e8a5cd05ab5ea01420027862f3cf10

SHA1
445d570ec6f7219d6db54f0451e9f42a7f86653f

SHA256
00e41d47d6a664e3e7038d551fd0b915e97425f99b5d9b55199578065cade9f7

SHA512
3393ab8cd347fc7d9e6727578cd6d4f5558f610859a4a476d1cb51d7cab4e4e3287a0123a21fd97deb6d70ed5c9d26fd888e3055a818b3b11c8857815d2aa236

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiitg.exe

Filesize
291KB

MD5
33e2959c9c29327133124fa31902980f

SHA1
bd608e31edf0af6f3356f9a37baff461802a9bc1

SHA256
f173cebb3b61d55b0178e43f5442e86e9b07ecb52c558e79be318217cfd6d0e8

SHA512
e6be199f3298eaaa361fa6700612227ebdbeaa10ed72601d512126e64ba16115d08ee75d092b21a56f5fdcc26306359054601f69c40d0b0fcc70a6da2132cac5

Download Submit
\Users\Admin\AppData\Local\Temp\kyzep.exe

Filesize
433KB

MD5
10b3e746c52440a2cfd56212f9421712

SHA1
9337a6b79d7c3871b98d9f4c5b9a308e27bbfb24

SHA256
2ef1cce3519b1016a3765ec7b1f8dcfb9dfd2209c7eeb58ce4e83e2eeea436b6

SHA512
e6cef7691130fd0f07d0db2c97a220f070475e5dd3638510a3d31f2b13c43db6173eeab10f7eb28754a2a637c1d8a8bdaf792c4633834b6ccb096a168e386760

Download Submit
memory/1460-0-0x0000000000E10000-0x0000000000E7E000-memory.dmp

Filesize
440KB

Download
memory/1460-8-0x0000000002A50000-0x0000000002ABE000-memory.dmp

Filesize
440KB

Download
memory/1460-18-0x0000000000E10000-0x0000000000E7E000-memory.dmp

Filesize
440KB

Download
memory/2912-10-0x0000000000E50000-0x0000000000EBE000-memory.dmp

Filesize
440KB

Download
memory/2912-27-0x0000000000E50000-0x0000000000EBE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads