urelas | 960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940

General

Target

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
Size

335KB
MD5

31463bff05962a340451ade401cd245d
SHA1

2f12b72d85e2eb2aa69809c0e9f927d1049eb663
SHA256

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940
SHA512

e2268a4f9aa86667dc5e1dc832545eed8bcdfb36fc16673a7fb6262ab12e110c74777929787cf266f4cccb53d9f8bc820bea18aa7b10b4819d030a629762b2b3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2596 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

kydoo.exewejeg.exe

pid process

1040 kydoo.exe
2768 wejeg.exe
Loads dropped DLL 2 IoCs

Processes:

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exekydoo.exe

pid process

2416 960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
1040 kydoo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2596	cmd.exe

pid	process
1040	kydoo.exe
2768	wejeg.exe

pid	process
2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
1040	kydoo.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exekydoo.execmd.exewejeg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kydoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wejeg.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

wejeg.exe

pid	process
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe
2768	wejeg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exekydoo.exe

description	pid	process	target process
PID 2416 wrote to memory of 1040	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	kydoo.exe
PID 2416 wrote to memory of 1040	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	kydoo.exe
PID 2416 wrote to memory of 1040	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	kydoo.exe
PID 2416 wrote to memory of 1040	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	kydoo.exe
PID 2416 wrote to memory of 2596	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	cmd.exe
PID 2416 wrote to memory of 2596	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	cmd.exe
PID 2416 wrote to memory of 2596	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	cmd.exe
PID 2416 wrote to memory of 2596	2416	960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe	cmd.exe
PID 1040 wrote to memory of 2768	1040	kydoo.exe	wejeg.exe
PID 1040 wrote to memory of 2768	1040	kydoo.exe	wejeg.exe
PID 1040 wrote to memory of 2768	1040	kydoo.exe	wejeg.exe
PID 1040 wrote to memory of 2768	1040	kydoo.exe	wejeg.exe

C:\Users\Admin\AppData\Local\Temp\960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe
"C:\Users\Admin\AppData\Local\Temp\960d2e904aa6496adc954a24a5d94a1063d64eb3590ceec5e3e4e7a4668c8940.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\kydoo.exe
  "C:\Users\Admin\AppData\Local\Temp\kydoo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\wejeg.exe
    "C:\Users\Admin\AppData\Local\Temp\wejeg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b3187a86766b2ef06bd7a0728e077f62

SHA1
fd760cc762b685cdd8fef0e8d6f2e25e40e38b73

SHA256
ead8a0f009a8366a15e7ced6b3224b0f9281a0261612a3d8f8c0cc55ff05fd3e

SHA512
4ad983a3d2bf09d15dbe9f05fc373d4e60c5485379e550fc8b62ac9a267202b2661245738129a4b2eb9185e6739dc175ebbf1227c444fb4f956ac79dbf3d4c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
57d3bdaeae3719dc04e483022acbe8b5

SHA1
438e2bc4984d87fd3a1a80a50768b53ab34482e7

SHA256
ae6a200df734e70655e91353965d839d4b988840ffa561c78ff433335b9f4687

SHA512
6d3a8a1f4b7ed493257749a05c89d88f571e604dbc2ef4c4fcf71f060e8523cfdc2125618911a09fc0e029a19052f7e59c7c01dc52fb36ac8b55f2d7ba913a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\kydoo.exe

Filesize
335KB

MD5
d1b68f2bdcae5254dbc94e5ae0d15e58

SHA1
21fd733c99400a2eab529d9dc98ea64cf052002d

SHA256
0248acc21b1dcda061876ea589a7d691496b68beb3b1c6d24b0aa9058e2c930f

SHA512
ab15fd7dedded1bf0849dbdb12dca5a6710700025318b166bbc0a18175b71c548d6e337093f1d42c075f1c87e8f6f743484074dc658ea0000117cc1307db475b

Download Submit
\Users\Admin\AppData\Local\Temp\wejeg.exe

Filesize
172KB

MD5
15ee15487d6bfb7a82bdea24d066c130

SHA1
066d8a14d4fdab5c3a6f5a9ec0c18720f9e9c79c

SHA256
ceb999d51f3a6b3c44590f3a879f455f879c21ca72ba09d951542d0c3d559302

SHA512
950ce3a3c194740f1065016b7b8ca17174203e7369e6ca2e5597820ff2ab532b74e2c2606a875eeced7e299f063de3b3949565d7313a786246d99de50c01ebf4

Download Submit
memory/1040-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1040-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1040-23-0x00000000008F0000-0x0000000000971000-memory.dmp

Filesize
516KB

Download
memory/1040-37-0x0000000003D40000-0x0000000003DD9000-memory.dmp

Filesize
612KB

Download
memory/1040-42-0x00000000008F0000-0x0000000000971000-memory.dmp

Filesize
516KB

Download
memory/2416-20-0x0000000000920000-0x00000000009A1000-memory.dmp

Filesize
516KB

Download
memory/2416-7-0x0000000002120000-0x00000000021A1000-memory.dmp

Filesize
516KB

Download
memory/2416-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2416-0-0x0000000000920000-0x00000000009A1000-memory.dmp

Filesize
516KB

Download
memory/2768-41-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/2768-43-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/2768-47-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download
memory/2768-48-0x0000000000E40000-0x0000000000ED9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads