urelas | 9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4

General

Target

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
Size

454KB
MD5

c78e49bc32b6fcfa5772254f2a503170
SHA1

d77a6a35c674d9497ef937b3aab56611f54d63eb
SHA256

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4
SHA512

7d2cdba0e0c7ab379c304fe1b3a088dd400d07982a1538281deb7cc7a8c25b76b257d45bdd7a53a7425a05cb0d653cdd31fc363d20cdbe8e358d0abfd3467f08
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTnm:CMpASIcWYx2U6hAJQnZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1852 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

cydum.exeqyewhe.exeoknyw.exe

pid process

2684 cydum.exe
2320 qyewhe.exe
588 oknyw.exe
Loads dropped DLL 3 IoCs

Processes:

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.execydum.exeqyewhe.exe

pid process

1908 9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
2684 cydum.exe
2320 qyewhe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1852	cmd.exe

pid	process
2684	cydum.exe
2320	qyewhe.exe
588	oknyw.exe

pid	process
1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
2684	cydum.exe
2320	qyewhe.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.execydum.execmd.exeqyewhe.exeoknyw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cydum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyewhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oknyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

oknyw.exe

pid	process
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe
588	oknyw.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.execydum.exeqyewhe.exe

description	pid	process	target process
PID 1908 wrote to memory of 2684	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cydum.exe
PID 1908 wrote to memory of 2684	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cydum.exe
PID 1908 wrote to memory of 2684	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cydum.exe
PID 1908 wrote to memory of 2684	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cydum.exe
PID 1908 wrote to memory of 1852	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cmd.exe
PID 1908 wrote to memory of 1852	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cmd.exe
PID 1908 wrote to memory of 1852	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cmd.exe
PID 1908 wrote to memory of 1852	1908	9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe	cmd.exe
PID 2684 wrote to memory of 2320	2684	cydum.exe	qyewhe.exe
PID 2684 wrote to memory of 2320	2684	cydum.exe	qyewhe.exe
PID 2684 wrote to memory of 2320	2684	cydum.exe	qyewhe.exe
PID 2684 wrote to memory of 2320	2684	cydum.exe	qyewhe.exe
PID 2320 wrote to memory of 588	2320	qyewhe.exe	oknyw.exe
PID 2320 wrote to memory of 588	2320	qyewhe.exe	oknyw.exe
PID 2320 wrote to memory of 588	2320	qyewhe.exe	oknyw.exe
PID 2320 wrote to memory of 588	2320	qyewhe.exe	oknyw.exe
PID 2320 wrote to memory of 1448	2320	qyewhe.exe	cmd.exe
PID 2320 wrote to memory of 1448	2320	qyewhe.exe	cmd.exe
PID 2320 wrote to memory of 1448	2320	qyewhe.exe	cmd.exe
PID 2320 wrote to memory of 1448	2320	qyewhe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe
"C:\Users\Admin\AppData\Local\Temp\9cbbc3506ef59fe1ee5234870796925598864441e42c64e64f2d73a2b79c6dd4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\cydum.exe
  "C:\Users\Admin\AppData\Local\Temp\cydum.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\qyewhe.exe
    "C:\Users\Admin\AppData\Local\Temp\qyewhe.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\oknyw.exe
      "C:\Users\Admin\AppData\Local\Temp\oknyw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
823bc86b6a84c45b9ac27172b1244718

SHA1
2d889fc2369e27a0ab0fa05355904892fa88ef49

SHA256
5ca5e52172ffd94ccb39ec2197d2be8f250006a719a69e64241419db4bb73894

SHA512
06f1f090b4713f7c703bc7dc698bfed434ce9293ef9508aa10449dd9bc5bc008f78eb09faccb26578c51abbd69da114b7bea8b0895006efd6a5878b3b50dc94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
78d0c49ad954a288048ebb97d7b7d34a

SHA1
eae0d88730712b31e6e4d32ab4b3057ff855b7e7

SHA256
fdb50dd549d5fcb95526720e8bd22d56d8b94b47b3308ec5e7a0e8e696f7322a

SHA512
ec002165b87e7e306ea5e9d260028d509d67f5c648ec838db25551a4c5c35a77413a38bc29d7c643b75485059a8b21cce137ab288503a32e70b048326dfef7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cydum.exe

Filesize
454KB

MD5
96d0b2ebcdda2a4679abd36e95c1691b

SHA1
0b2231cdb85c945bb6d16b462d5feabbcd7a2e71

SHA256
0c208d8d75df13957132abaa094232164f398a9e149cc6967821d24d61c6af44

SHA512
cd3dc1c80cccc0e5516bae9d03fc803fba43f00cf8f71e25c3da154750d80e9160bc665fd81cf7e3faa8c0ddb3dab09c5a003c3e7e976f372d42428e28ea1b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ec4556556cb7807e4ed02d98a05b9987

SHA1
649f9a8750ad04d62d7cc7897be7a8f4b5caa29f

SHA256
9da71e5f056f4a558bdfd6dc07c2c2cc980b77b74dccc30baae82ae7afc2c1d4

SHA512
b851ef5f6a96480e6ddef7ad35a9eb7a6868f17f827f29b1e9b5695ddecfc0acd54834afe36359ec810ac238543b32965d699a804ca3cd4380550f0124764f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oknyw.exe

Filesize
223KB

MD5
b8043c04c26fa449767c52af609b78fb

SHA1
4035819cf133e34cb140322a3d83d7aa42e46220

SHA256
29dfac4589da03dc830a583612f7ac7524c82b8da1e8fd946b24300e9d4bd534

SHA512
b073f403f18e8624d7cbff562171da8787382847f8157b653177b72219685e7bc6066a5f6d25f49b181e5fa62753330522b49ef051e75b7f92fc125037a7393c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyewhe.exe

Filesize
454KB

MD5
e871a10d96d738b2eb1d17a4a2b6e3e8

SHA1
b7eedd8c0b60137fdd63b9ef9fe9847a129d7c6b

SHA256
953897a419e6ca89d5a79bc08dd587c6b7f0d16a0c73e3eced75dfd0a6ca2c37

SHA512
bdb0bb2df2dd714cc5a3a7c6ef380910a9e38ede3a19c26d9a491f8aab882ed0e5c10b387d61aac354856d598f86eb8ce5db1f4139cab3983d84bc7944e22a1b

Download Submit
memory/588-39-0x0000000001380000-0x0000000001420000-memory.dmp

Filesize
640KB

Download
memory/588-51-0x0000000001380000-0x0000000001420000-memory.dmp

Filesize
640KB

Download
memory/588-52-0x0000000001380000-0x0000000001420000-memory.dmp

Filesize
640KB

Download
memory/1908-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1908-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2320-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2320-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2320-48-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2320-37-0x0000000003B00000-0x0000000003BA0000-memory.dmp

Filesize
640KB

Download
memory/2684-26-0x0000000003810000-0x000000000387E000-memory.dmp

Filesize
440KB

Download
memory/2684-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2684-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads