urelas | ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebe

General

Target

ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe
Size

49KB
MD5

921fea5bc4bd640c8328ef8d9aee3660
SHA1

1e52d474c465ff4080f4a8d0de5b2a701ff102ac
SHA256

ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebe
SHA512

400598c22a695389ba6c94107dcfbf396dd84d8d8ca361b3cc3959343fd0edc1680060c8f1ff95e485a755e29871dabce762526c47649ff3f43d0bccaf12566e
SSDEEP

1536:834/PC7Ruz3hRXRASULZ6JKYdbzcmhCZnq:It7R8fU6n8q

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2492	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

mokdhft.exe

pid	Process
1988	mokdhft.exe

Loads dropped DLL 1 IoCs

Processes:

ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe

pid	Process
1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exemokdhft.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mokdhft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe

description	pid	Process	procid_target
PID 1116 wrote to memory of 1988	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	31
PID 1116 wrote to memory of 1988	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	31
PID 1116 wrote to memory of 1988	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	31
PID 1116 wrote to memory of 1988	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	31
PID 1116 wrote to memory of 2492	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	32
PID 1116 wrote to memory of 2492	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	32
PID 1116 wrote to memory of 2492	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	32
PID 1116 wrote to memory of 2492	1116	ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe	32

C:\Users\Admin\AppData\Local\Temp\ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe
"C:\Users\Admin\AppData\Local\Temp\ad7810229804b52b5bf98d224dedbf023676f0a735be73bee594ab2e70678ebeN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
  "C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
a521ba7551c1486daeab896af0032a73

SHA1
9630599289081f228f5567a1589a5b4de753e473

SHA256
8d2f4491ef9586c45a3e4d81f004fee56b32316831cf0a45a5891f775e8a8f6b

SHA512
233845d5b9bb469a6e9d66e4c9f2dec5907e98b3c522d920a853c81e21cba0abdba31c7feb1a5b617afea1b55af7f0559a2a83598d47f34b9f78b18141c69b64

Download Submit
\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
49KB

MD5
41d8e0446b839df566fd4e443d32af37

SHA1
e0e5bbb897151af0d961c093f9d6f4257a1a51f7

SHA256
21ecaab8e2807bd4e22ae1035a69cc860d8223565e38841b73496c01ce76684f

SHA512
27bed47da025e8fcfb58806086177a5389ce139e17206b98f0770d44cc5ec4bd0c81adfedd0db7a222c8e04670508c9c37f8ee5453eb41bb068b3479f994403a

Download Submit
memory/1116-0-0x0000000000900000-0x0000000000933000-memory.dmp

Filesize
204KB

Download
memory/1116-9-0x0000000000860000-0x0000000000893000-memory.dmp

Filesize
204KB

Download
memory/1116-18-0x0000000000900000-0x0000000000933000-memory.dmp

Filesize
204KB

Download
memory/1988-10-0x0000000000100000-0x0000000000133000-memory.dmp

Filesize
204KB

Download
memory/1988-21-0x0000000000100000-0x0000000000133000-memory.dmp

Filesize
204KB

Download
memory/1988-23-0x0000000000100000-0x0000000000133000-memory.dmp

Filesize
204KB

Download
memory/1988-29-0x0000000000100000-0x0000000000133000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads