urelas | ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a

General

Target

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Size

327KB
MD5

3a42324892ed90b441f4ca7f5003f197
SHA1

df571092643708c31152b637ed2f1887a8f7cbea
SHA256

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a
SHA512

68c2a41f56bf984f95a3fcc055c96e98a7c8b35dee9b20744b9704369a30a2311965106cbde0fbd71f9d3fb4b240e4201c16efd889069d6f0d08601d7dd601b3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI:vHW138/iXWlK885rKlGSekcj66ci9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1932 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

zoogv.exeyjsec.exe

pid process

2324 zoogv.exe
568 yjsec.exe
Loads dropped DLL 2 IoCs

Processes:

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exezoogv.exe

pid process

1668 ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
2324 zoogv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1932	cmd.exe

pid	process
2324	zoogv.exe
568	yjsec.exe

pid	process
1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
2324	zoogv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

yjsec.exeecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exezoogv.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yjsec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoogv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

yjsec.exe

pid	process
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe
568	yjsec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exezoogv.exe

description	pid	process	target process
PID 1668 wrote to memory of 2324	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	zoogv.exe
PID 1668 wrote to memory of 2324	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	zoogv.exe
PID 1668 wrote to memory of 2324	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	zoogv.exe
PID 1668 wrote to memory of 2324	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	zoogv.exe
PID 1668 wrote to memory of 1932	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	cmd.exe
PID 1668 wrote to memory of 1932	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	cmd.exe
PID 1668 wrote to memory of 1932	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	cmd.exe
PID 1668 wrote to memory of 1932	1668	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	cmd.exe
PID 2324 wrote to memory of 568	2324	zoogv.exe	yjsec.exe
PID 2324 wrote to memory of 568	2324	zoogv.exe	yjsec.exe
PID 2324 wrote to memory of 568	2324	zoogv.exe	yjsec.exe
PID 2324 wrote to memory of 568	2324	zoogv.exe	yjsec.exe

C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
"C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\zoogv.exe
  "C:\Users\Admin\AppData\Local\Temp\zoogv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\yjsec.exe
    "C:\Users\Admin\AppData\Local\Temp\yjsec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
aa871695149228d63195c3cfab93b26f

SHA1
450cd094bce0bc3c7cd398d2fa89528c88a7c954

SHA256
1f46b535ae994c35cb582bcc7d12340ad844492ba41b318f0461f3ddcda99017

SHA512
916be60582f9d1d10cae48ad08e33bd7932c17ded77d3bc2051bf7b089feb9e4e29e1645a94c1b4ba93739d1304c7c345e3d022d8bcf15ecb5cea33fd13311b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
028c2d726f14d44227411f0076e59c54

SHA1
df0432f354385ef8d181b26f8fc3929689b12b50

SHA256
41051ad3a36b5e7ca6a3e82b986d2d976ea8cf864c9c0d877ee35635643d7c98

SHA512
6fd946f0a78ee3184eadc703510fcd60f388a2ea152942606e40d8637664db5a378511e982e841fbe6329e63243f0c894d2e6ead279bdb2ded8239f2684ab113

Download Submit
\Users\Admin\AppData\Local\Temp\yjsec.exe

Filesize
172KB

MD5
6d95cb2671c73ca7a449e6da47f2174e

SHA1
fc22386b6ad2d8bf436e2fdf7028b6c9ecb1060a

SHA256
f6bc06047cf4f180672ea835666f447042bd085e91d587f6c7a2362e7459d878

SHA512
69a3c43442d0a76bfbe8f60f1110506be4088cf0e1cbde830928863ec84dddde871ef8d85e00b3a23de1e97999f66b190629c3ce2ad6eb3667a0c4928d4932b8

Download Submit
\Users\Admin\AppData\Local\Temp\zoogv.exe

Filesize
327KB

MD5
1a0dcbb2248ef1665ded5ab7c5ab6895

SHA1
2f0137a1c2594242ab6365f6fd3c523f82b7ea2a

SHA256
98cf6a63a7b5d34ad451e83a7cb40adc8330a68ea0b31f4cb1df35bd28722907

SHA512
af43904ddca25f5a93ee549c43d06d0bd1cf5e70a1f768e998f683f75bd22ea2d28720ce887598866941cd5856698d8ee50c145093fb1126bee348846245a879

Download Submit
memory/568-40-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/568-46-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/568-47-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/568-45-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/568-42-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/568-49-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/568-48-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/1668-7-0x0000000002A10000-0x0000000002A91000-memory.dmp

Filesize
516KB

Download
memory/1668-20-0x00000000011B0000-0x0000000001231000-memory.dmp

Filesize
516KB

Download
memory/1668-0-0x00000000011B0000-0x0000000001231000-memory.dmp

Filesize
516KB

Download
memory/1668-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2324-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2324-38-0x0000000000E80000-0x0000000000F01000-memory.dmp

Filesize
516KB

Download
memory/2324-23-0x0000000000E80000-0x0000000000F01000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads