urelas | 13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398

General

Target

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
Size

332KB
MD5

d4dc0d308df5e95206a3996e1826e0f0
SHA1

11d31cdf3db5943ad568af9beb1ea22138a29ecf
SHA256

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398
SHA512

3a12527907ea4a9a10bffb8401dc3218c58a29e7e0782bfde678b99f327dd5f99b506fef43e15d7927aea1e44515e14375f240226f22fff1e20ac5355234c092
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVj:vHW138/iXWlK885rKlGSekcj66ciEj

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1364 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

qumoq.exeijuvt.exe

pid process

3024 qumoq.exe
1956 ijuvt.exe
Loads dropped DLL 2 IoCs

Processes:

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exequmoq.exe

pid process

2316 13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
3024 qumoq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1364	cmd.exe

pid	process
3024	qumoq.exe
1956	ijuvt.exe

pid	process
2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
3024	qumoq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exequmoq.execmd.exeijuvt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qumoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijuvt.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ijuvt.exe

pid	process
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe
1956	ijuvt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exequmoq.exe

description	pid	process	target process
PID 2316 wrote to memory of 3024	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	qumoq.exe
PID 2316 wrote to memory of 3024	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	qumoq.exe
PID 2316 wrote to memory of 3024	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	qumoq.exe
PID 2316 wrote to memory of 3024	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	qumoq.exe
PID 2316 wrote to memory of 1364	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	cmd.exe
PID 2316 wrote to memory of 1364	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	cmd.exe
PID 2316 wrote to memory of 1364	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	cmd.exe
PID 2316 wrote to memory of 1364	2316	13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe	cmd.exe
PID 3024 wrote to memory of 1956	3024	qumoq.exe	ijuvt.exe
PID 3024 wrote to memory of 1956	3024	qumoq.exe	ijuvt.exe
PID 3024 wrote to memory of 1956	3024	qumoq.exe	ijuvt.exe
PID 3024 wrote to memory of 1956	3024	qumoq.exe	ijuvt.exe

C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
"C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\qumoq.exe
  "C:\Users\Admin\AppData\Local\Temp\qumoq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\ijuvt.exe
    "C:\Users\Admin\AppData\Local\Temp\ijuvt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b894925e57c9f98debe0a09b905518fe

SHA1
68c2149448f56c2057df9ef76fd227a18b9d39bc

SHA256
8ffdf586ab3ce73a65dd5548babe3b33cc4fbd3a941fb975cd821a9027f42783

SHA512
0b97ccd3521fc66080efaf5e8b7249f6dd8fbfb993c1ad50bca12240d40a11f5f15251b21dbe8f8563d701d9481576d4c0df121ae58017e1fe3f845c38d22b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3028cba74abd90be092593703a352772

SHA1
2472bece0714c898c01dc7f7379ba51dcaabf614

SHA256
bd90a7f8551a348d1784c3f7ca405614116d0c273e719a8bd2833df81a09142c

SHA512
5046b410272f33174e8241f0c49145b0c79822cabee6392e6b334684705cce6fd6d43250f09e20b1648df4b92410d21ae217d1e5bb2b5e8d32a78d6dd3df5353

Download Submit
C:\Users\Admin\AppData\Local\Temp\qumoq.exe

Filesize
332KB

MD5
9e4cc621527bb1f9cdce1c77bcc79040

SHA1
d0cffbadfe741fc334b1aa80642c356eaea84354

SHA256
5cf4f8670e802d0935e81eccc087f12c32c41301b015edee1a476607e242d39d

SHA512
6467a104651dcc4f53c1f136bca658bce1fd6663eb8ef8c997deb6c03ab26ed2083f35461936306da17391f4209bca76f7c5e336cb1cf922071fb62b9ec7e013

Download Submit
\Users\Admin\AppData\Local\Temp\ijuvt.exe

Filesize
172KB

MD5
7767dcca8f38ecd0d0cbcbaba2327fa1

SHA1
86c802db7e2d1e7587de2afd5750bc7279aad7b8

SHA256
41b7240d8be7cad0044cecc8259fd754e2610f7325d93cb2de15a4398c0794fe

SHA512
6a82ad6d86dc3e8b2d9248a82be3a7fc2dcd359874687fd59bc8d7cf8796f1247ee99d7056ad709b6c36213c4671d770c6dd0394666e99776793c26a1cc0190f

Download Submit
memory/1956-42-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/1956-47-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/1956-46-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/1956-41-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2316-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2316-18-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/2316-0-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/3024-23-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/3024-38-0x0000000003260000-0x00000000032F9000-memory.dmp

Filesize
612KB

Download
memory/3024-40-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/3024-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3024-20-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads