urelas | 57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2

General

Target

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Size

330KB
MD5

8ed8fe4236bd3275ca6fb53ea7adeef0
SHA1

af97463ad45ec8f778be83b82909e222c0076265
SHA256

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2
SHA512

9e0992b9ae3b18ce3e0daabf36b6e92dc56156ecc291a5c1eafa16b47e60fe99b4766829b45dfe99cfac2fb2fce35507ee8bcea5610db7220428c98328874a20
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2668	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

byzym.exegumic.exe

pid	Process
2744	byzym.exe
2876	gumic.exe

Loads dropped DLL 2 IoCs

Processes:

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exebyzym.exe

pid	Process
2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
2744	byzym.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exebyzym.execmd.exegumic.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byzym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gumic.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

gumic.exe

pid	Process
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe
2876	gumic.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exebyzym.exe

description	pid	Process	procid_target
PID 2636 wrote to memory of 2744	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	30
PID 2636 wrote to memory of 2744	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	30
PID 2636 wrote to memory of 2744	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	30
PID 2636 wrote to memory of 2744	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	30
PID 2636 wrote to memory of 2668	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2636 wrote to memory of 2668	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2636 wrote to memory of 2668	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2636 wrote to memory of 2668	2636	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	31
PID 2744 wrote to memory of 2876	2744	byzym.exe	34
PID 2744 wrote to memory of 2876	2744	byzym.exe	34
PID 2744 wrote to memory of 2876	2744	byzym.exe	34
PID 2744 wrote to memory of 2876	2744	byzym.exe	34

C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
"C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\byzym.exe
  "C:\Users\Admin\AppData\Local\Temp\byzym.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\gumic.exe
    "C:\Users\Admin\AppData\Local\Temp\gumic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6e8d954fb1dddba6478e87ba0e58a3b0

SHA1
e7093781d87eca308159a1d1bbd32fe190fc967a

SHA256
4caa108699460495771fe7f2890e821a4fd25a7bd18072f13b57ee25fccf7a5e

SHA512
09ec249e5465ef9c9c89d9a67fbdaa1ed3aa96da2e947262f5ba95cbba7f9b70afec9bcea5a406727d3df6f9a489dcaf10cc89d6c2dc065a04dd59f645654cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\byzym.exe

Filesize
330KB

MD5
33fe79835c60e267268f78a6f9693d2e

SHA1
8b6b48c28d9ed46c96ecd1d91d57fe9f37b0ec0b

SHA256
01b43bffe98cb9b82796ac90cb151b4fd60ca0a97c34a08b33da6bcc863c313d

SHA512
37e7ec20a17367f061f98676040f563aa18e9d1df0a9ecf0d7a769be189a78129b542a68a41be8991ef8888d123927886f637c15691e3df70a68b59d1fbad5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3054fb85434c94a861c2841adf09fb54

SHA1
27b928a37c8d28ee3e991d59a1665627ab876fc7

SHA256
38848fb726765fc72e41b60059c1314a14935103bbfd600a5520c60d8685f370

SHA512
81392b13b569a603e2241880c3d05269c333975533f52b41fd5b013f6d3b48b68da04bcff41f817f16c8e5ca6ed666075576d642a07bb5474c22f146acb653ed

Download Submit
\Users\Admin\AppData\Local\Temp\gumic.exe

Filesize
172KB

MD5
c058a423eda9719c05d652897b3ad3ad

SHA1
08bfd8061ce8f4f4b0b11124a4041bc01ea0631d

SHA256
4b88eb4156a6c5dab95790a0e1fc8959f4e2b988df198b375f3a493bc6d235d4

SHA512
8016bc9660752090704cdd2a76b3689007f1c4ce6e4e699c6a6d95aadc369f5b56271222cdb3d2d936bae4258bb7ae2a0e0dfdaa7cf2d5f91119424d2fecafaf

Download Submit
memory/2636-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2636-0-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2636-20-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2636-17-0x00000000026E0000-0x0000000002761000-memory.dmp

Filesize
516KB

Download
memory/2744-18-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2744-23-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2744-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2744-38-0x00000000032F0000-0x0000000003389000-memory.dmp

Filesize
612KB

Download
memory/2744-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2744-41-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2876-45-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/2876-42-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/2876-47-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/2876-48-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads