urelas | a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429

General

Target

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
Size

332KB
MD5

926d44f877c6b8877309b7dc186c5650
SHA1

d21eb91f9d20bb0d3a3ccd5edd4dd48d900a54df
SHA256

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429
SHA512

486b60f8b1ee93f7b52f8f911e4284b7c384a23a68e4736d5fd6b9dd97c1be5cae23f24fce95f11c98e954bfb029ef55d84bab57dcc9fbbeda6a61e4b6548fc2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVO:vHW138/iXWlK885rKlGSekcj66ciEO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2340 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

jiwoj.exevydoh.exe

pid process

1864 jiwoj.exe
1396 vydoh.exe
Loads dropped DLL 2 IoCs

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exejiwoj.exe

pid process

1732 a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
1864 jiwoj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2340	cmd.exe

pid	process
1864	jiwoj.exe
1396	vydoh.exe

pid	process
1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
1864	jiwoj.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.execmd.exejiwoj.exevydoh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiwoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vydoh.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

vydoh.exe

pid	process
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe
1396	vydoh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exejiwoj.exe

description	pid	process	target process
PID 1732 wrote to memory of 1864	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	jiwoj.exe
PID 1732 wrote to memory of 1864	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	jiwoj.exe
PID 1732 wrote to memory of 1864	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	jiwoj.exe
PID 1732 wrote to memory of 1864	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	jiwoj.exe
PID 1732 wrote to memory of 2340	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	cmd.exe
PID 1732 wrote to memory of 2340	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	cmd.exe
PID 1732 wrote to memory of 2340	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	cmd.exe
PID 1732 wrote to memory of 2340	1732	a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe	cmd.exe
PID 1864 wrote to memory of 1396	1864	jiwoj.exe	vydoh.exe
PID 1864 wrote to memory of 1396	1864	jiwoj.exe	vydoh.exe
PID 1864 wrote to memory of 1396	1864	jiwoj.exe	vydoh.exe
PID 1864 wrote to memory of 1396	1864	jiwoj.exe	vydoh.exe

C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe
"C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\jiwoj.exe
  "C:\Users\Admin\AppData\Local\Temp\jiwoj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\vydoh.exe
    "C:\Users\Admin\AppData\Local\Temp\vydoh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
954d08d6a12a118077cfc71bbd9a60fa

SHA1
491cfe3cdcced90d2f7ca27c1ec8ea91688b2c99

SHA256
3f273f97b5095a089cee89df487b2b61ac558141aa852f98e51cdb7e294156d7

SHA512
01008c5e95943cf07ba1cf03d58a0f26081207709c101b51cac0941feb4ba18cc1d9b40958ef2dd488b53abc0789ae34514ad340e588ac00450534c28f3c63e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
439d43cd3bd3cabd276eb27696258fbf

SHA1
266b85f2a1b92cfa0e7016883039446f11c87eef

SHA256
041460f3bb52bdb6811d6c61abc5ad9305f595f4d2d0bb8d159b1715954cb69a

SHA512
6157b3f29dc8c00439c626460a9791164350ecfd2b2ebccdf2b033365f4faeef2417c1f21bca453a36e7564281df3df87daca8e0a43237846d228713fcea5239

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiwoj.exe

Filesize
332KB

MD5
600c76d231c26aaaa050ea59c2888c12

SHA1
02687f113d842df582051bf316f3d8f7414f7ae6

SHA256
8ed9c6a06e9c23784b44e4c8773ec3b8836ab60dc8f9c500e1663970e344d37f

SHA512
f1ede21ec7e45d429fa696f7178c7510b46b9facb57f116f14703caa01a0eb3bf6c0c23efe62df29237c933bb2d7ca6710584388dbdbc7637a5ca688e29a9ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vydoh.exe

Filesize
172KB

MD5
fddaa20ef32065b674081b6a38809af8

SHA1
a640a3f18732ec882c6ffcac331ded6e6018a01d

SHA256
248a4ccf159fa373fd050e5305c4aa139491fb7e1342604a02faa714ebed8e0f

SHA512
6b1829a62efc86dfb8197a5f0481862aa9ab5a995073dc0937e8b6384297958dcae491de239632b8de332edba0c4f770c6cf52a67eb3aefaf4d86abbcc112273

Download Submit
memory/1396-43-0x0000000000A40000-0x0000000000AD9000-memory.dmp

Filesize
612KB

Download
memory/1396-48-0x0000000000A40000-0x0000000000AD9000-memory.dmp

Filesize
612KB

Download
memory/1396-47-0x0000000000A40000-0x0000000000AD9000-memory.dmp

Filesize
612KB

Download
memory/1396-42-0x0000000000A40000-0x0000000000AD9000-memory.dmp

Filesize
612KB

Download
memory/1732-0-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/1732-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1732-10-0x00000000026E0000-0x0000000002761000-memory.dmp

Filesize
516KB

Download
memory/1732-20-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/1864-11-0x0000000000F10000-0x0000000000F91000-memory.dmp

Filesize
516KB

Download
memory/1864-41-0x0000000000F10000-0x0000000000F91000-memory.dmp

Filesize
516KB

Download
memory/1864-24-0x0000000000F10000-0x0000000000F91000-memory.dmp

Filesize
516KB

Download
memory/1864-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1864-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads