urelas | 54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84ea

General

Target

54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
Size

330KB
MD5

4f6be11ae13e3a9613b104c6dae342e0
SHA1

b7bb12bdbc37e6d802686bbac6cbd436d7839f9b
SHA256

54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84ea
SHA512

1623449d81a95a88ea263b8fc54118820d80ff1729c97c3c16bb32044947ca37d6263dcb5a800e39f7b3205cf18316da7d18efbdc6edf1d9ce3a737d7e524222
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVv:vHW138/iXWlK885rKlGSekcj66ciEv

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2164	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

qiyhn.exeewyge.exe

pid	Process
2320	qiyhn.exe
2060	ewyge.exe

Loads dropped DLL 2 IoCs

Processes:

54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exeqiyhn.exe

pid	Process
2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
2320	qiyhn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeewyge.exe54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exeqiyhn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewyge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiyhn.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ewyge.exe

pid	Process
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe
2060	ewyge.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exeqiyhn.exe

description	pid	Process	procid_target
PID 2316 wrote to memory of 2320	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	31
PID 2316 wrote to memory of 2320	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	31
PID 2316 wrote to memory of 2320	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	31
PID 2316 wrote to memory of 2320	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	31
PID 2316 wrote to memory of 2164	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	32
PID 2316 wrote to memory of 2164	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	32
PID 2316 wrote to memory of 2164	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	32
PID 2316 wrote to memory of 2164	2316	54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe	32
PID 2320 wrote to memory of 2060	2320	qiyhn.exe	35
PID 2320 wrote to memory of 2060	2320	qiyhn.exe	35
PID 2320 wrote to memory of 2060	2320	qiyhn.exe	35
PID 2320 wrote to memory of 2060	2320	qiyhn.exe	35

C:\Users\Admin\AppData\Local\Temp\54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe
"C:\Users\Admin\AppData\Local\Temp\54832d03a638bf9a63d65a0778c16b061a173026f28af0d1905e3312914c84eaN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\qiyhn.exe
  "C:\Users\Admin\AppData\Local\Temp\qiyhn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\ewyge.exe
    "C:\Users\Admin\AppData\Local\Temp\ewyge.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
05fb45d548ecb23a5bc83825c4768451

SHA1
c63d2075e4a40fcb431dd3acafc0b6d77284a2ff

SHA256
3a70d5b52330e2459ca84d5a7c3627ae1874ee43bcc4500032062bfc349b4ad1

SHA512
053388d4091a36b0e1c9a867a54c7f25dcd7d7ec021350aae2270eb3e7feca71a156b88acd78846a2bcdad34884c29df824c6156a28a00d1de0522b8709fdd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewyge.exe

Filesize
172KB

MD5
638c5903b7d806663f84101e2dda0cbd

SHA1
5e8937940ecb574125211928800bad4b24962a08

SHA256
a5e7446417a960e62811f4153782301c1a2ce13fe00bbdbfad13a4c328d7c5ef

SHA512
b6e6d1978f3b1a4a68e28f6b8268730fa991d7c4b60449766254f2382719eeb034b060cbd9b2be188aab71e63a1432c7d024be6bb18a9dae8311dd7ccbc5ac42

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b90569cc54ad1f8394df861f4ccd3587

SHA1
4af370df4758ac7fabc6e0496deb727e3fa0f6af

SHA256
ab6b0de9362f8934352ece8f2d2e039d843279ef5c749d6e6e71c64600e6b738

SHA512
b97e56c9da1abae481392bfddc2a1981602eaf290671ccfca2a3351acd81d1ec2ac41faea5a5dcf5ed42691cbb7cd026485beaa18fa3eef5e58d5bd9c7cf163c

Download Submit
\Users\Admin\AppData\Local\Temp\qiyhn.exe

Filesize
330KB

MD5
517c1a80dd8487ade5615937635f608a

SHA1
de2dc3da45c604c7708c5006974d57b6ac154aaf

SHA256
0179af2c276c7de6b786b1114912d343a05014d346209cbdba63341504df6baa

SHA512
978514b17a5f80c0feabe2c77928405c03d52b0832f74d16db663d6f5d07e44d4699cd25b73692558b0a3b7d20fd3902aaa0d44cd98a6a94025c29daad08a75d

Download Submit
memory/2060-43-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/2060-48-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/2060-47-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/2060-42-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/2316-9-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/2316-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2316-0-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/2316-21-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/2320-24-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/2320-40-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/2320-41-0x0000000002AB0000-0x0000000002B49000-memory.dmp

Filesize
612KB

Download
memory/2320-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2320-12-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads