urelas | 92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7

General

Target

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
Size

324KB
MD5

af4a0a3252e92465547ee37416213f72
SHA1

4818e4540da9d7f10156192a6f0139ed8b1bdf0c
SHA256

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7
SHA512

5ca773ae23ebdbeafd2e5e926e919d0d52451d77b93fb48a690f565603e0fc3ca7a44276296e1140b90dada664bc2a1004d511447d27464d37a558bb069e863e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYv:vHW138/iXWlK885rKlGSekcj66cim

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3064 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

tesio.exekiojx.exe

pid process

2856 tesio.exe
2972 kiojx.exe
Loads dropped DLL 2 IoCs

Processes:

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exetesio.exe

pid process

2708 92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
2856 tesio.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3064	cmd.exe

pid	process
2856	tesio.exe
2972	kiojx.exe

pid	process
2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
2856	tesio.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kiojx.exe92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exetesio.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiojx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tesio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

kiojx.exe

pid	process
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe
2972	kiojx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exetesio.exe

description	pid	process	target process
PID 2708 wrote to memory of 2856	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	tesio.exe
PID 2708 wrote to memory of 2856	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	tesio.exe
PID 2708 wrote to memory of 2856	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	tesio.exe
PID 2708 wrote to memory of 2856	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	tesio.exe
PID 2708 wrote to memory of 3064	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	cmd.exe
PID 2708 wrote to memory of 3064	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	cmd.exe
PID 2708 wrote to memory of 3064	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	cmd.exe
PID 2708 wrote to memory of 3064	2708	92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe	cmd.exe
PID 2856 wrote to memory of 2972	2856	tesio.exe	kiojx.exe
PID 2856 wrote to memory of 2972	2856	tesio.exe	kiojx.exe
PID 2856 wrote to memory of 2972	2856	tesio.exe	kiojx.exe
PID 2856 wrote to memory of 2972	2856	tesio.exe	kiojx.exe

C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe
"C:\Users\Admin\AppData\Local\Temp\92b71635c2fabda636e52edc96e060725afa3059e3f405db405c8f83c9359ed7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\tesio.exe
"C:\Users\Admin\AppData\Local\Temp\tesio.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\kiojx.exe
"C:\Users\Admin\AppData\Local\Temp\kiojx.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7b1968032ea98a7b0730c758d2d8c25a

SHA1
dddb106ddc8444ea4386745aceb0cbb6e11a6002

SHA256
8b7781c5aaf6ce44d1d2b53539365aa2a185e89ac33189dd452651157ed40402

SHA512
bfac538425702d252a18f0bbe05a8c1a5187d66950f8ae9ffed40608488c88c660a697c68bd0e547240b2bacd2ac58f1d9bccc809fa260692ff94d019d4174d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
37df1ac1f7bd0f6bd5add08dd9cd09c6

SHA1
64045f37c96c44d70bfe0e596dfc3ee8aa6f1260

SHA256
a09aea54a512a094b892a79baa7093f007f684e9c64c37beec6a01b824cc5056

SHA512
15c1e6580562242b6400ae80903e45b4206af00e4e157f9d571d0b7c52afa8ef851599afd0241a0077a294d7ba9b97ce310c9c419958552c4b66c011907bdee1

Download Submit
\Users\Admin\AppData\Local\Temp\kiojx.exe

Filesize
172KB

MD5
261c8cfce53eba5dfcea9e1fda05b34a

SHA1
58d5cb6c541d0963c62aa632812b551c07e24a77

SHA256
06d319f13144b56fcde3791c58246f4409394afd787976fdd2ab1c0716c18acc

SHA512
97416492c3a82960edb712d99d3b7fbf4330cae864f187a68d3bff38e763648dc71b0d01393f7e852c18c59ad3d3100aaa618d0202804cb42ba4d5a205d7dd90

Download Submit
\Users\Admin\AppData\Local\Temp\tesio.exe

Filesize
324KB

MD5
1ffd38de0a2c72b3d664f54c45534055

SHA1
6f19b029db9630451dface97ecf288b6f1af06f0

SHA256
36f4b813842871e5b7ac56c3f595ccc3693f6bff64d0ec5f2ec649ced4a3d27d

SHA512
e2c12e0a9adcb98612c9ba744f8ebf6c933eefef684b0e8f65930370f3a97de3bb8c0de8a90503dd573d8f29621712b6472fe64c1bfc5eb1197408daca6bdf04

Download Submit
memory/2708-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2708-10-0x0000000002BC0000-0x0000000002C41000-memory.dmp

Filesize
516KB

Download
memory/2708-0-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2708-21-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2856-37-0x0000000003290000-0x0000000003329000-memory.dmp

Filesize
612KB

Download
memory/2856-24-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/2856-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2856-11-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/2856-41-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/2972-42-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/2972-43-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/2972-47-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/2972-48-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/2972-49-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/2972-50-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/2972-51-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads