urelas | 115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8

General

Target

115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
Size

552KB
MD5

4489826c2eca1eb1a0123c0c46e6aca0
SHA1

1c006df93d42fa028e21a7f98c6ac8afc5198b25
SHA256

115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8
SHA512

b978da9070fb82166238114fb80f5b48acb6249a0854e5bc0fb695e759684f6e744282ff3c03c074ecf448b873d9993dd085e82c5e572b83b334c3a7435b0456
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzl8:+rt4/NArwjs5ol8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1664	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ozxij.exeqehyj.exe

pid	Process
1648	ozxij.exe
2672	qehyj.exe

Loads dropped DLL 2 IoCs

Processes:

115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exeozxij.exe

pid	Process
1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
1648	ozxij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exeozxij.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozxij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exeozxij.exe

description	pid	Process	procid_target
PID 1668 wrote to memory of 1648	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	31
PID 1668 wrote to memory of 1648	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	31
PID 1668 wrote to memory of 1648	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	31
PID 1668 wrote to memory of 1648	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	31
PID 1668 wrote to memory of 1664	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	32
PID 1668 wrote to memory of 1664	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	32
PID 1668 wrote to memory of 1664	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	32
PID 1668 wrote to memory of 1664	1668	115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe	32
PID 1648 wrote to memory of 2672	1648	ozxij.exe	35
PID 1648 wrote to memory of 2672	1648	ozxij.exe	35
PID 1648 wrote to memory of 2672	1648	ozxij.exe	35
PID 1648 wrote to memory of 2672	1648	ozxij.exe	35

C:\Users\Admin\AppData\Local\Temp\115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe
"C:\Users\Admin\AppData\Local\Temp\115952ec8a3a073ab20b7df3a238a827b8fed5032be3e5c67d680230552121b8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\ozxij.exe
  "C:\Users\Admin\AppData\Local\Temp\ozxij.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\qehyj.exe
    "C:\Users\Admin\AppData\Local\Temp\qehyj.exe"
    3⤵
    - Executes dropped EXE
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0f0d77ec69a66789ea072d5c8bf4594a

SHA1
c531b09c9e1045cf2542b197c269453be309d407

SHA256
170ab95cdfdf6d30e989295586f58aa23a84d8323a7af784439881b2577b8259

SHA512
144ce94591a25576edf368de017aa70a81af0db83464c23931143c4da632667520a23ba95487c034e5067ed45397dace571f3efb300957611d28bf749d617de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ed1a613024060167b9129bf25fc486d4

SHA1
71d13c793c7ea692e45faa4f28ecc08c285b2f8b

SHA256
e6f6e0eb245188cf74197babb25bd3d50efd4425ee45beb05f4a7fd8a56360f7

SHA512
e38fd8d3a0eafd04c582f5d7af91be5e99dffab93733273d877fab221608c9c1753a2fd92cd70f8d90416022b9d2a5c7d4968eb0978e963182687b455614ad0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qehyj.exe

Filesize
231KB

MD5
a7698b6ecc9c6d606cf4a67c04470351

SHA1
e4ab3306c8f7d776f0daf22e94fe6e9125a1377e

SHA256
2bed0f9420c12e552cd5bc6f187c269eec68dcdc6c200c16bc281379a4485f6b

SHA512
8f3142a5a79281894f19ea39dfadbfe98e57ceef966e105edcc6431a272fe3250269b77483b4be908a18766b56f5f7daaf53f8303664f7db7eedcbb89f553d46

Download Submit
\Users\Admin\AppData\Local\Temp\ozxij.exe

Filesize
552KB

MD5
6e14e8bbabffa0b2dadd87a15fb7ae7c

SHA1
dfc0b40c713664f5de672632fe997e7fe2cd0a64

SHA256
e997a22f5480046b28699d7df84e7a3ea06dbb03bd66d50f6c31833e559c4833

SHA512
79d8e85f50c5a23329723de15eaba8ae78108ee621ad947a84243f369bcd2dd94b282261bce6fc32aedf57c1ce140042342ddcc0a728b2b57cfec5de8b3b939b

Download Submit
memory/1648-16-0x0000000000070000-0x00000000000FF000-memory.dmp

Filesize
572KB

Download
memory/1648-21-0x0000000000070000-0x00000000000FF000-memory.dmp

Filesize
572KB

Download
memory/1648-28-0x0000000003620000-0x00000000036D3000-memory.dmp

Filesize
716KB

Download
memory/1648-30-0x0000000000070000-0x00000000000FF000-memory.dmp

Filesize
572KB

Download
memory/1668-0-0x0000000000830000-0x00000000008BF000-memory.dmp

Filesize
572KB

Download
memory/1668-6-0x0000000002970000-0x00000000029FF000-memory.dmp

Filesize
572KB

Download
memory/1668-18-0x0000000000830000-0x00000000008BF000-memory.dmp

Filesize
572KB

Download
memory/2672-29-0x0000000000960000-0x0000000000A13000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads