urelas | fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52b

General

Target

fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
Size

333KB
MD5

80c2e464d0e65c20fa068a3bfa7470b0
SHA1

51cdb889c9708a161fdb3c5fda6a4e38bebfbf23
SHA256

fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52b
SHA512

abccd3d3d12848d114b0b7aa060b3c94b07175ccf965413944a884b933afbb71eb15dca3f06269d2fc421bbec59b831132d6fa759127065c495298bbadb3a6dd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9+3:vHW138/iXWlK885rKlGSekcj66ciWQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2508	cydum.exe
492	oknyw.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
2508	cydum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oknyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cydum.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe
492	oknyw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2508	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1992 wrote to memory of 2508	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1992 wrote to memory of 2508	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1992 wrote to memory of 2508	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	30
PID 1992 wrote to memory of 2580	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 1992 wrote to memory of 2580	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 1992 wrote to memory of 2580	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 1992 wrote to memory of 2580	1992	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	31
PID 2508 wrote to memory of 492	2508	cydum.exe	34
PID 2508 wrote to memory of 492	2508	cydum.exe	34
PID 2508 wrote to memory of 492	2508	cydum.exe	34
PID 2508 wrote to memory of 492	2508	cydum.exe	34

C:\Users\Admin\AppData\Local\Temp\fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
"C:\Users\Admin\AppData\Local\Temp\fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\cydum.exe
  "C:\Users\Admin\AppData\Local\Temp\cydum.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\oknyw.exe
    "C:\Users\Admin\AppData\Local\Temp\oknyw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0eefb7b287f60aef1a98238ca7d04fe8

SHA1
1bee211430b5cad19b65e0f028476fbdd6f9b12e

SHA256
248ce742a9ebd40c52e9ad1450f917bb187aae04534cb4bb9159897b660a262f

SHA512
6c3e358a6b5264c9c62312c6d47452f46fafaa31c8beb07d96f314a65505dd361345c627e8d5fba4f2bf0a9f951b6574807e97c03195c8ece8e067a5a875b621

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b0c47e5216d1f500d73d5c187493c144

SHA1
362794905bf26b3ec11c9396810fc766d0b81a22

SHA256
15318ba0e2a25cd74b17aeaec0875e3fb352190ef6cfcfec6c1088d94edd103d

SHA512
5bcbfc67a41a8f259b8d840f16aa2a07cada1897b6daa96454f3592ee6d3a90eebec1befcdaacd678232ec9881697a643b78ac18628dfda09c11638637f4284a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oknyw.exe

Filesize
172KB

MD5
90ebbef04b69d36ade540c7bb1e45a49

SHA1
860bcf74966fa6b33c5f79fcf375971d7fccbc1d

SHA256
50e535bf154f0b4be0c3f8ee15b29b7aa3b7c7529e4d0ca737dcd39381a3e853

SHA512
8fa1efd7d947be52888bdb04f8e34bc8005def861e7ff15210ee0cc2ba49c7b55b9e4db07c645d886281cee45566deead363c7281fcb03033e00ad8cc818e95e

Download Submit
\Users\Admin\AppData\Local\Temp\cydum.exe

Filesize
333KB

MD5
a9d615ecd7d1551a7043150d864feafb

SHA1
9c7e962e5d54fe7655cebe73fb76ef23cc765bcb

SHA256
54114ea35109335b84bf9e8cd0c2f64679bf362af9725ae8cc9fb275b98c452d

SHA512
9b089cd5062e0bdff562e9120d2764973908c15ed4fef2d46b0484411a0e850ca99286bc150613792b51df3f8f148f1e3c8cfbd923e55c435c8f05ef9e4918f6

Download Submit
memory/492-42-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/492-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/492-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/492-41-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Filesize
612KB

Download
memory/1992-0-0x0000000000E60000-0x0000000000EE1000-memory.dmp

Filesize
516KB

Download
memory/1992-9-0x00000000024F0000-0x0000000002571000-memory.dmp

Filesize
516KB

Download
memory/1992-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1992-20-0x0000000000E60000-0x0000000000EE1000-memory.dmp

Filesize
516KB

Download
memory/2508-17-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2508-40-0x0000000000150000-0x00000000001D1000-memory.dmp

Filesize
516KB

Download
memory/2508-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2508-23-0x0000000000150000-0x00000000001D1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing