urelas | c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009e

General

Target

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
Size

332KB
MD5

3735c64c1f391aa92b9d9575339510b0
SHA1

dd49e6ed58abb9e09cccc264f8a26d62ec41d901
SHA256

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009e
SHA512

ce4a0dc11e5fb7b9a0324b32d7f9501afd1d16c39fda1a5e8c7fd423ff0e7ebdfd8b313670ebfc92c0f7903f4d23e07bf4d7b2c92bc7a143dd68825d758dd1ff
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVr:vHW138/iXWlK885rKlGSekcj66ciEr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2920	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

husop.exekounv.exe

pid	Process
2288	husop.exe
2320	kounv.exe

Loads dropped DLL 2 IoCs

Processes:

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exehusop.exe

pid	Process
840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
2288	husop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exehusop.execmd.exekounv.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	husop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kounv.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

kounv.exe

pid	Process
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe
2320	kounv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exehusop.exe

description	pid	Process	procid_target
PID 840 wrote to memory of 2288	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	29
PID 840 wrote to memory of 2288	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	29
PID 840 wrote to memory of 2288	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	29
PID 840 wrote to memory of 2288	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	29
PID 840 wrote to memory of 2920	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	30
PID 840 wrote to memory of 2920	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	30
PID 840 wrote to memory of 2920	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	30
PID 840 wrote to memory of 2920	840	c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe	30
PID 2288 wrote to memory of 2320	2288	husop.exe	32
PID 2288 wrote to memory of 2320	2288	husop.exe	32
PID 2288 wrote to memory of 2320	2288	husop.exe	32
PID 2288 wrote to memory of 2320	2288	husop.exe	32

C:\Users\Admin\AppData\Local\Temp\c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe
"C:\Users\Admin\AppData\Local\Temp\c8e0c5b420545c005b8ffd1c9ebf3ff7c52afada3503d44a562600f5bd8c009eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\husop.exe
  "C:\Users\Admin\AppData\Local\Temp\husop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\kounv.exe
    "C:\Users\Admin\AppData\Local\Temp\kounv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f5223b7c0aee190f7ced0dac4721abb1

SHA1
f1af6f4ec51f92ef6ccb99218ac23fc90430d1a1

SHA256
d82074d4f1961799821738b774a7ffe97b2b44de26e2ee9837c87416afe0dc54

SHA512
8373880892aefd5835decc1dae239129827e420c45cd7d5d6c7f5ce66999a3f211b218b94d3c0b5cfb4c57ef7bb395560a1669bf2c40a75ecd76f37a70872264

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e43b77b5ac662f87f08f42a35cb84622

SHA1
5716e86e093bf544dd2f3ad5ceb2ff61fc07d705

SHA256
71d0898bebe4a9ac81537d6e78b6541fdceb2c8d330224765dd95633f3557add

SHA512
f2fc9dca08a66c46c053f7dace53bbce57935449b8e0c5f3c61412275f9b3274090bfdbd0eeee44951559d8a6a73a538c1f6b3d18a0190b5ff615552abe89865

Download Submit
\Users\Admin\AppData\Local\Temp\husop.exe

Filesize
332KB

MD5
d436ebf69716c85bd1f938a5b143a62a

SHA1
54787fc5eb97ed9279dfc5f233ba842eb41eebb0

SHA256
978088f7bbbbfa2f83dd8f407217ce18c9e007de88e440a064b30243416dd867

SHA512
8764f26cdc1748f4c2faafd35d5cd0d44027bd4f32741eb5a2f412f09a00d13d11617449c759684c17b74d288df1ce97ecd9751d4f09af4e2c9e50f056925cf8

Download Submit
\Users\Admin\AppData\Local\Temp\kounv.exe

Filesize
172KB

MD5
281c0f332fd23ac1fdf0ab5988bf0b11

SHA1
45d767d9e0bf038c3d4689ada87a5cc852982a4c

SHA256
73b1fce151fec2669e1f5a033a747b34313e0f26c09cf7855fd2c7958b0a4cf3

SHA512
1eb37cd162b8731938ac41dfd7de6c648af5934bcae6f033872127eaac41d7f52f1d60828d9e4aebb533db2347cde8a0cfa59e164e1e783908045ed3cb9a80ff

Download Submit
memory/840-0-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/840-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/840-9-0x0000000002750000-0x00000000027D1000-memory.dmp

Filesize
516KB

Download
memory/840-20-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/2288-11-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/2288-23-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/2288-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2288-38-0x0000000003900000-0x0000000003999000-memory.dmp

Filesize
612KB

Download
memory/2288-39-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/2320-42-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/2320-41-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/2320-46-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/2320-47-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads