urelas | a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482

General

Target

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Size

335KB
MD5

32b6decf1f8f55af9dc2a48997ebf910
SHA1

b19a9b5476ec7afa01a63083dea8961119652928
SHA256

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482
SHA512

d2a82fae0b0621190260475b39f2d040cee0c25f302f5a4f60c164accfdad26d07b8df1cf408588f93769a1b56d12aa167200ef9880795794dd6d669ba14dced
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2332 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ryqox.exexaajn.exe

pid process

1984 ryqox.exe
1688 xaajn.exe
Loads dropped DLL 2 IoCs

Processes:

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exeryqox.exe

pid process

2504 a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
1984 ryqox.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2332	cmd.exe

pid	process
1984	ryqox.exe
1688	xaajn.exe

pid	process
2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
1984	ryqox.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ryqox.execmd.exexaajn.exea50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryqox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xaajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

xaajn.exe

pid	process
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe
1688	xaajn.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exeryqox.exe

description	pid	process	target process
PID 2504 wrote to memory of 1984	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	ryqox.exe
PID 2504 wrote to memory of 1984	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	ryqox.exe
PID 2504 wrote to memory of 1984	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	ryqox.exe
PID 2504 wrote to memory of 1984	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	ryqox.exe
PID 2504 wrote to memory of 2332	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	cmd.exe
PID 2504 wrote to memory of 2332	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	cmd.exe
PID 2504 wrote to memory of 2332	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	cmd.exe
PID 2504 wrote to memory of 2332	2504	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	cmd.exe
PID 1984 wrote to memory of 1688	1984	ryqox.exe	xaajn.exe
PID 1984 wrote to memory of 1688	1984	ryqox.exe	xaajn.exe
PID 1984 wrote to memory of 1688	1984	ryqox.exe	xaajn.exe
PID 1984 wrote to memory of 1688	1984	ryqox.exe	xaajn.exe

C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
"C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\ryqox.exe
  "C:\Users\Admin\AppData\Local\Temp\ryqox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\xaajn.exe
    "C:\Users\Admin\AppData\Local\Temp\xaajn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9a048aa325b4689fdcfd1e04de51f69b

SHA1
5072d2a39083b15bceb55a02483f35eda0ad9150

SHA256
e99675057f0b5161be35b2ee5baf34c89f00962c77ab2307860014e46e890727

SHA512
5e66b9da190a61c7814fc2961f6135a15a53a975fb2fef3cd1957cbd9541c4b8acaf37bd0ef479e7be898813460692a02c4618d8de699a166365e11b15d3ac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
67ccb55224e4e7c039ff6de5220ebb64

SHA1
cfb95faac96cb0526e3215c50fe8ac25c2de79ac

SHA256
70a5ff3f55f9af1f87b79dbd97751f8a3b95e6121735988360ee9fe1a42b271e

SHA512
7cbbc0aac00c54dd94b909e83dda469038c49df0298ff5543f082ee94493197608afeed1c1f5ea6ac7a0fe1916ec9466da8c863cd6ad4ebb078f24af915a6477

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryqox.exe

Filesize
335KB

MD5
7224798dac1e11fda079ecfa9f0b85eb

SHA1
910b915f1a1efeb2cbef762b895faa59a426f380

SHA256
d9757f0ee0930a497f1183d615ec91ebb80b7a8f6f5653ed1f8bd0d9e04e6251

SHA512
8b57a2bce87ddcbb3655a10769bc7a69eb47713ed6ad0ba963eadb30c959ab5d6b81ddb13c6e4e1cbd4bb7c3fbc98abc7bbd70a5f87da2ba6806a183466e11d7

Download Submit
\Users\Admin\AppData\Local\Temp\xaajn.exe

Filesize
172KB

MD5
408d9e20d396efbe81238c5bccc24256

SHA1
8defd9a21914a954fac93242526950e39a3241c4

SHA256
18836bd49809c19474d70329b2ff22820cc461dc04dd733f421589b525c345b4

SHA512
33ce6dd211a1f45b68dca2674cc188a693aee3d07a28dbe9ce3ae068670569b3f00ce88ddac0f551e90531f1fc0dc1e85c6f501bbff38b353e7747365e0b45d4

Download Submit
memory/1688-40-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/1688-43-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/1688-47-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/1688-48-0x0000000000800000-0x0000000000899000-memory.dmp

Filesize
612KB

Download
memory/1984-11-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/1984-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1984-24-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/1984-42-0x0000000001290000-0x0000000001311000-memory.dmp

Filesize
516KB

Download
memory/1984-39-0x0000000003520000-0x00000000035B9000-memory.dmp

Filesize
612KB

Download
memory/2504-10-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/2504-21-0x0000000000FA0000-0x0000000001021000-memory.dmp

Filesize
516KB

Download
memory/2504-0-0x0000000000FA0000-0x0000000001021000-memory.dmp

Filesize
516KB

Download
memory/2504-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads