urelas | f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0a

General

Target

f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
Size

332KB
MD5

8ec941fc6702f584dded6bd4ea2d0730
SHA1

b4f114f72de169ac51740d47cf254db76991974f
SHA256

f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0a
SHA512

a5733e07fcddb2f652ace08c6924406bd076681753d180b947ecd01e4d1d78b616e09789aa8d550c5278987716fa5d4adf6350804ed36b4ea1a7d71344c70ba2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVVD:vHW138/iXWlK885rKlGSekcj66ciEVD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2944 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

lyvij.exeosfoi.exe

pid process

2528 lyvij.exe
1996 osfoi.exe
Loads dropped DLL 2 IoCs

Processes:

f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exelyvij.exe

pid process

2488 f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
2528 lyvij.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2944	cmd.exe

pid	process
2528	lyvij.exe
1996	osfoi.exe

pid	process
2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
2528	lyvij.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exelyvij.execmd.exeosfoi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyvij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osfoi.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

osfoi.exe

pid	process
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe
1996	osfoi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exelyvij.exe

description	pid	process	target process
PID 2488 wrote to memory of 2528	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	lyvij.exe
PID 2488 wrote to memory of 2528	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	lyvij.exe
PID 2488 wrote to memory of 2528	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	lyvij.exe
PID 2488 wrote to memory of 2528	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	lyvij.exe
PID 2488 wrote to memory of 2944	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	cmd.exe
PID 2488 wrote to memory of 2944	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	cmd.exe
PID 2488 wrote to memory of 2944	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	cmd.exe
PID 2488 wrote to memory of 2944	2488	f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe	cmd.exe
PID 2528 wrote to memory of 1996	2528	lyvij.exe	osfoi.exe
PID 2528 wrote to memory of 1996	2528	lyvij.exe	osfoi.exe
PID 2528 wrote to memory of 1996	2528	lyvij.exe	osfoi.exe
PID 2528 wrote to memory of 1996	2528	lyvij.exe	osfoi.exe

C:\Users\Admin\AppData\Local\Temp\f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe
"C:\Users\Admin\AppData\Local\Temp\f7beae4526286a3a56e62e69d512a27c8acb1f2300052fc4f235f7f128ce0d0aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\lyvij.exe
  "C:\Users\Admin\AppData\Local\Temp\lyvij.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\osfoi.exe
    "C:\Users\Admin\AppData\Local\Temp\osfoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2afb6d789377100540acb4d4006cd188

SHA1
73a8e08e2d6b2b1ddf2388cfa5173e68a8802e11

SHA256
a4edb0fa1ffa588d67214b678c83cd2619db3de127f189f5b35f8be562d2b559

SHA512
38a14c23b83c138cc7129f831119fd8181726ebb5714e0fae349e9ace7722c84e56353c4ce4bd139fbc357647685aaaa55781b0d2a703858aaaaf416f4e2e9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
58fcad3e298ebbfd4f53c788cd1cf322

SHA1
ef43b97d8c575998ed3b4beb79f15fd3f3696867

SHA256
dea6c282d6e5490030523a72a5f125a24ea89d06d7debff667cb5abc87fcfd73

SHA512
6f72c4c26bfc2f79847777bfa80a3d81a505afc393e0d29b2028f86f3b1a13613326ad232ff1f90dd5a292e823b2fd35a125eb06c36cbec5eaefc7c2da6244fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyvij.exe

Filesize
332KB

MD5
9b83fa9e798fa1ce15be41376af22223

SHA1
92357eff6cbf09b6e9aecfc77d2f213320ee7957

SHA256
666fd8b170ad4aeeeb5c35a15a355b41945b0f9e46def1690e03739def222fc1

SHA512
ec2afa6de9f7af812a623edc7dfe19324fe314c0575fa97ecaa5debc06373eb2368b4d8657436e9e5b2a3dc3b721bb4b2e9e85a4bf884ed38244d5c621657ad2

Download Submit
\Users\Admin\AppData\Local\Temp\osfoi.exe

Filesize
172KB

MD5
1085a57f920ca371d46d3500f8bc52fc

SHA1
32c4c352baba300c92309ba21249d3ab53205c9b

SHA256
72903c4487664d2668bb418810b305a720f6e11ab5d342d07e1bd7f407dddc98

SHA512
d5b3821ed2134ba9e5a5819632df3fb4380cd1b1178d29cf84cb65a56e5a0953c19a33c3d07a223e1b30f55c7abe77427c64511b515e941e0ac930877f1b178e

Download Submit
memory/1996-42-0x0000000000E00000-0x0000000000E99000-memory.dmp

Filesize
612KB

Download
memory/1996-47-0x0000000000E00000-0x0000000000E99000-memory.dmp

Filesize
612KB

Download
memory/1996-46-0x0000000000E00000-0x0000000000E99000-memory.dmp

Filesize
612KB

Download
memory/2488-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2488-19-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/2488-17-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/2488-0-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/2528-24-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/2528-41-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/2528-37-0x0000000003CA0000-0x0000000003D39000-memory.dmp

Filesize
612KB

Download
memory/2528-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2528-20-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads