urelas | f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ce

General

Target

f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
Size

325KB
MD5

eab16fabf805f96807856a0c861691f0
SHA1

03ea520ecbb5f02f97319c69a6c733d03d4fb2c1
SHA256

f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ce
SHA512

2b8cf1ba430c18afb23b7ccb66d6f5ff999714d06437c363d306a220892413ee73f1b2053620fe55ee6c5cbf6033990037723ae3dc58d29ef3dd55eae0e24388
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI:vHW138/iXWlK885rKlGSekcj66ci5

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2484 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

kazih.exegaqyc.exe

pid process

2068 kazih.exe
2680 gaqyc.exe
Loads dropped DLL 2 IoCs

Processes:

f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exekazih.exe

pid process

236 f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
2068 kazih.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2484	cmd.exe

pid	process
2068	kazih.exe
2680	gaqyc.exe

pid	process
236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
2068	kazih.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exekazih.execmd.exegaqyc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kazih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaqyc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

gaqyc.exe

pid	process
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe
2680	gaqyc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exekazih.exe

description	pid	process	target process
PID 236 wrote to memory of 2068	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	kazih.exe
PID 236 wrote to memory of 2068	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	kazih.exe
PID 236 wrote to memory of 2068	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	kazih.exe
PID 236 wrote to memory of 2068	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	kazih.exe
PID 236 wrote to memory of 2484	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	cmd.exe
PID 236 wrote to memory of 2484	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	cmd.exe
PID 236 wrote to memory of 2484	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	cmd.exe
PID 236 wrote to memory of 2484	236	f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe	cmd.exe
PID 2068 wrote to memory of 2680	2068	kazih.exe	gaqyc.exe
PID 2068 wrote to memory of 2680	2068	kazih.exe	gaqyc.exe
PID 2068 wrote to memory of 2680	2068	kazih.exe	gaqyc.exe
PID 2068 wrote to memory of 2680	2068	kazih.exe	gaqyc.exe

C:\Users\Admin\AppData\Local\Temp\f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe
"C:\Users\Admin\AppData\Local\Temp\f674a1c3b87a10f9a0ffcb6d23ac8425230718fc51e1d353e40da9541a7b70ceN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\kazih.exe
  "C:\Users\Admin\AppData\Local\Temp\kazih.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\gaqyc.exe
    "C:\Users\Admin\AppData\Local\Temp\gaqyc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ebdf1267d2e6846a1f521c8f1b6f74ca

SHA1
219b98873404f0a8ceb431fcbb903a317f23ab28

SHA256
055aedc76fce6d5aa59a0768f1e6345449751ebfa6c393f5399b3ffc805648ec

SHA512
449066aa1893658791bfb9b41aabcbaa1c0506041b062abda45c251d94f90478d533796f8352d3edd1bd4d0caa5c8044a8d4a539967315715eca69ca0614a669

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b8c6461814b0b5888f20bf3bda2a17d9

SHA1
4f3520b222d244a5ae5b3b8069c7ab821634713e

SHA256
2892c9d45456babe8fc2f1176bd4277ba47a21afc6e606c95cf621260d99fed2

SHA512
7a630c6498f7d824aa8a967fbe8944f3ccc20e43efe69f4b92318d26e283130bd65a959ce8a8cb948f7594f1cf90cafd41750537a49582a96bb8081429299060

Download Submit
C:\Users\Admin\AppData\Local\Temp\kazih.exe

Filesize
325KB

MD5
f5beb6c645ee2d3dc5e00f157a3f15bc

SHA1
322ddf514a944b6a30d9a4f82c3ee7176d9846c9

SHA256
bd9e0bf7dcffa48a991835e13faef95c15cb85f25a432d56e2f6a5af26183dd1

SHA512
9f21f74434335b1e5c72beabb75ba569ec35ec9e172be808da1df823132d8fcef5f4c806a5065006013d226ce08c3c13c749654c0608bdee0047df17f71c14fd

Download Submit
\Users\Admin\AppData\Local\Temp\gaqyc.exe

Filesize
172KB

MD5
3f74b3cd475f4e460fc4811b293bf91f

SHA1
ab1a7e833b526c4188bb98887f9474083a1f117e

SHA256
f5e6c00dbd5ad0178a7d531f56acd4f2b83ed14b34eef65d6cc5dfbf87f37613

SHA512
215cef111ede7ccc9f20e64d44ad524e67bcc1759099a2c9e8e0018c0789fbc6c17d59c72bb0da62e33f6aa2b6446f04a0277dbe571c7110f80b3092d12e85ac

Download Submit
memory/236-0-0x00000000012E0000-0x0000000001361000-memory.dmp

Filesize
516KB

Download
memory/236-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/236-16-0x00000000010C0000-0x0000000001141000-memory.dmp

Filesize
516KB

Download
memory/236-20-0x00000000012E0000-0x0000000001361000-memory.dmp

Filesize
516KB

Download
memory/2068-18-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/2068-23-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/2068-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2068-36-0x0000000003310000-0x00000000033A9000-memory.dmp

Filesize
612KB

Download
memory/2068-40-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/2680-41-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download
memory/2680-42-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download
memory/2680-46-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download
memory/2680-47-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads