urelas | 6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3

General

Target

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
Size

332KB
MD5

9005adf6dc2001ebe4b8b45ccae3c8b0
SHA1

1338d6153061783232f99e6944b6144a4835a2e6
SHA256

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3
SHA512

933431cf66acc4155c510ecd6b2603aecf4f757da8335edacf0c4e8812c72e52387479c645e6bd6b4d69c786f5903fe18e6b0f807edf9321669525ae704620e7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3036 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

cuziv.exevuapu.exe

pid process

2624 cuziv.exe
2012 vuapu.exe
Loads dropped DLL 2 IoCs

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.execuziv.exe

pid process

2072 6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
2624 cuziv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3036	cmd.exe

pid	process
2624	cuziv.exe
2012	vuapu.exe

pid	process
2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
2624	cuziv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.execuziv.execmd.exevuapu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuziv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuapu.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

vuapu.exe

pid	process
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe
2012	vuapu.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.execuziv.exe

description	pid	process	target process
PID 2072 wrote to memory of 2624	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cuziv.exe
PID 2072 wrote to memory of 2624	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cuziv.exe
PID 2072 wrote to memory of 2624	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cuziv.exe
PID 2072 wrote to memory of 2624	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cuziv.exe
PID 2072 wrote to memory of 3036	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2072 wrote to memory of 3036	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2072 wrote to memory of 3036	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2072 wrote to memory of 3036	2072	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2624 wrote to memory of 2012	2624	cuziv.exe	vuapu.exe
PID 2624 wrote to memory of 2012	2624	cuziv.exe	vuapu.exe
PID 2624 wrote to memory of 2012	2624	cuziv.exe	vuapu.exe
PID 2624 wrote to memory of 2012	2624	cuziv.exe	vuapu.exe

C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
"C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\cuziv.exe
  "C:\Users\Admin\AppData\Local\Temp\cuziv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\vuapu.exe
    "C:\Users\Admin\AppData\Local\Temp\vuapu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
710943b4bc4cb3508979b0ff0dec9782

SHA1
bcffaf0cc3dc993ab846ec5de6f880721fb8f2d5

SHA256
d8b9e49cc44f652a3daebde2f6d26059cae4706e59d53500dbf5074cfcc4ce04

SHA512
13622271bf849268c7c24a56ddd17ad91a5ce8085f32a1b01c8ee324b642880066a03dfbc04c4c44bb94fb22ff22af0e1765d87fe8f8322a8bd54f6d51051b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuziv.exe

Filesize
332KB

MD5
0696fb0dd1de83d1eede0be134826d0d

SHA1
157366e2c06ca6bb54255975eb028201e62d153a

SHA256
95e6e02cdf99103e8556f81255796b487aa9e3a91e873657ec5580e9ccd45476

SHA512
55a219ea621793df7ab6c684eb9c83f9e60760d19d3132a8283198f3a90877fbe3fdfe96f8526bf2cdf640751a03d29a0bb799d860174c3d25180e6f00be74dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2af6c4c9d51b733b487179cd6a9f89d4

SHA1
5ad05d22097ed09b734cc93ed73ef54fa33a5835

SHA256
600e504652ec5665bedb710005a7a2a8a0b3b22b301185a3eb77ec6c80a71bef

SHA512
9cd46fedcd49f4511248f1e658cabaa49bcb527320cae002a387f6e4aa22aba72a1e27542ee2d7b25b26ed42915e72d8e9a3c174f679af007e48285239addc01

Download Submit
\Users\Admin\AppData\Local\Temp\vuapu.exe

Filesize
172KB

MD5
7cd49207bcef3b142244b9d77af4c97f

SHA1
a7a52117365029765ba29c51b85f4ad4241a48ea

SHA256
aa8896ecea76e7fde34f6235c3dfdc6955f8024ecfe207f95020754106fb2768

SHA512
ae8e478ab1f5439561153706e358cc62bff01f25cca76e230e60640d6483e92a47e85da9d9186352cdb63527b7acac3d69339a0a809e214f2b0d22b6a0eec216

Download Submit
memory/2012-46-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/2012-50-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/2012-49-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/2012-48-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/2012-44-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/2012-41-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/2012-47-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/2072-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2072-20-0x00000000012C0000-0x0000000001341000-memory.dmp

Filesize
516KB

Download
memory/2072-0-0x00000000012C0000-0x0000000001341000-memory.dmp

Filesize
516KB

Download
memory/2072-10-0x0000000002C70000-0x0000000002CF1000-memory.dmp

Filesize
516KB

Download
memory/2624-37-0x00000000036F0000-0x0000000003789000-memory.dmp

Filesize
612KB

Download
memory/2624-40-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2624-23-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2624-12-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2624-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads