urelas | 0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a

General

Target

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Size

446KB
MD5

019dd5686e62593b1a205d4d1a4b85d0
SHA1

2e9ecbe2eb2d55692a299be7f155117284f077de
SHA256

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a
SHA512

c083b7175daca3d47ca5e6b723de9178367be5dc1cd6a49f2509649e245a73ff83ca05e52626c0971dda3bd1c176d2182c40b1a884c1963bf9b20e77c3e43460
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoG:PMpASIcWYx2U6hAJQnS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2880	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

ryzoz.exeifhibi.exebiquv.exe

pid	Process
1504	ryzoz.exe
2656	ifhibi.exe
2460	biquv.exe

Loads dropped DLL 3 IoCs

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeryzoz.exeifhibi.exe

pid	Process
3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
1504	ryzoz.exe
2656	ifhibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

biquv.execmd.exe0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeryzoz.execmd.exeifhibi.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biquv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryzoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifhibi.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

biquv.exe

pid	Process
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe
2460	biquv.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeryzoz.exeifhibi.exe

description	pid	Process	procid_target
PID 3040 wrote to memory of 1504	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 3040 wrote to memory of 1504	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 3040 wrote to memory of 1504	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 3040 wrote to memory of 1504	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	30
PID 3040 wrote to memory of 2880	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 3040 wrote to memory of 2880	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 3040 wrote to memory of 2880	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 3040 wrote to memory of 2880	3040	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	31
PID 1504 wrote to memory of 2656	1504	ryzoz.exe	33
PID 1504 wrote to memory of 2656	1504	ryzoz.exe	33
PID 1504 wrote to memory of 2656	1504	ryzoz.exe	33
PID 1504 wrote to memory of 2656	1504	ryzoz.exe	33
PID 2656 wrote to memory of 2460	2656	ifhibi.exe	34
PID 2656 wrote to memory of 2460	2656	ifhibi.exe	34
PID 2656 wrote to memory of 2460	2656	ifhibi.exe	34
PID 2656 wrote to memory of 2460	2656	ifhibi.exe	34
PID 2656 wrote to memory of 1532	2656	ifhibi.exe	35
PID 2656 wrote to memory of 1532	2656	ifhibi.exe	35
PID 2656 wrote to memory of 1532	2656	ifhibi.exe	35
PID 2656 wrote to memory of 1532	2656	ifhibi.exe	35

C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
"C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\ryzoz.exe
  "C:\Users\Admin\AppData\Local\Temp\ryzoz.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\ifhibi.exe
    "C:\Users\Admin\AppData\Local\Temp\ifhibi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\biquv.exe
      "C:\Users\Admin\AppData\Local\Temp\biquv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
8793e8e433434c5cee43ad475aa4d66c

SHA1
d351f2ad621f15703700f01be489c6557b2cb6cd

SHA256
9fe8bc2c5103c12e5bf4e54e427889bd1f8f00c98482a455c474829d13300e58

SHA512
528537bc19535f822498b561840c4b81524101b2656c6b0eab4e83e36841f99e20d8d54fe7923f3b7e48e007e062b01a2cd4fc2ff93354e26597f061a1e971d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d2fe4946949417756bfddc2a2833224b

SHA1
ad82bf8ddb335bbd7b3a6974ba6651217ffe7680

SHA256
4aa7c7ff4691c4503694f7c54f87ddf361bb19e8e24ff2e56665764c7bd6720e

SHA512
cc8501f4d582ea318f753c279aaaafab4a3f7cbd2ef2a3e4788cdda838b3d7d09df376bc69f6dcc193e9af88243559a626342fb0aa8a4514647058aabd5af1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\biquv.exe

Filesize
223KB

MD5
b77eff9bc39d06dcb5a2d8b1bd02cae0

SHA1
8dc4cc8789ed50f3e33097499333f2540cc4ca10

SHA256
3e0af021a10b0cb7ed57321b2c8216e6195cf5ba59002250c6de9dbe931f50da

SHA512
da8104ab9bbfbaf791ae1d3162c53bb3a366f5a96a665a5ccf5da35a116dd4e53595d554ac8953579529ddc3345bdc0606cdb5e31f69558f479269451bcd274d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
19db9578fc578f705660a46dbeda6073

SHA1
417f332ab2978e5812eefc1f4712dac0c9405144

SHA256
eab1653428880a680765b652b1af70c9da04295a0ea2f9a24bc45dd02f54b69e

SHA512
a8a89e5d8b47891c1ff96e59d4ff0df2a496100fa7985d04f313e7b51eee8a4bb8ffecb376f965e7295029777ae4bc5a6308c5074968e8197c2e398fad53cd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifhibi.exe

Filesize
446KB

MD5
802e5c9c6d0fd15210e26ebbee6821d5

SHA1
394ac92b460460e269a8ddcfe03cb8a8cd197716

SHA256
b0410103c2dc243d10ed02808016b3e6252cd037bcb19287d67392e01f78de15

SHA512
9b2d35b823aff835e370861b5f2897c86de1154ec657a17dd13b9ed1f92f97d816ea8e3dfb76abf3d35a96797f4c7aecd61b575479ccd41af57e089a93e965b4

Download Submit
\Users\Admin\AppData\Local\Temp\ryzoz.exe

Filesize
446KB

MD5
b41e28f9d1973a4fc81650ebbcbc66b0

SHA1
116f596f7c37a6f696e93d80b958bf1c034f840f

SHA256
7f6350a944f4917fb00921fb67b92d8a0f44eeaca877264f81226a6456bf4cb5

SHA512
fc8bed1a394189939bc19d34d253604ac6d407da9c20f17aa9beb41ed844e4f93a6dba3b294827cae927ebb006c1808c28bbaa1a18211a9d5a69c15c6aa6fb9a

Download Submit
memory/1504-27-0x0000000002FD0000-0x000000000303E000-memory.dmp

Filesize
440KB

Download
memory/1504-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1504-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2460-47-0x0000000001150000-0x00000000011F0000-memory.dmp

Filesize
640KB

Download
memory/2460-51-0x0000000001150000-0x00000000011F0000-memory.dmp

Filesize
640KB

Download
memory/2460-52-0x0000000001150000-0x00000000011F0000-memory.dmp

Filesize
640KB

Download
memory/2656-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2656-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2656-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3040-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3040-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3040-17-0x0000000001D90000-0x0000000001DFE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads