urelas | 97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52

General

Target

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Size

332KB
MD5

efb9d248a446a3a7434267d9b4d123c0
SHA1

3fe98e4298e590b5cc2ee56260b39c34a6790832
SHA256

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52
SHA512

c88b18d6833b3dd913e67028926cb297866c2b1af65dc9c2e264860365004b525eda2b005d8bf9d3f7a330a4e259a7a44301ad82bf3c58d0ed4f3e0574fc36ee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYK:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3016 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

joozk.exeydysl.exe

pid process

2152 joozk.exe
2016 ydysl.exe
Loads dropped DLL 2 IoCs

Processes:

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exejoozk.exe

pid process

2112 97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
2152 joozk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3016	cmd.exe

pid	process
2152	joozk.exe
2016	ydysl.exe

pid	process
2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
2152	joozk.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exejoozk.execmd.exeydysl.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joozk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ydysl.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ydysl.exe

pid	process
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe
2016	ydysl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exejoozk.exe

description	pid	process	target process
PID 2112 wrote to memory of 2152	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	joozk.exe
PID 2112 wrote to memory of 2152	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	joozk.exe
PID 2112 wrote to memory of 2152	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	joozk.exe
PID 2112 wrote to memory of 2152	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	joozk.exe
PID 2112 wrote to memory of 3016	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2112 wrote to memory of 3016	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2112 wrote to memory of 3016	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2112 wrote to memory of 3016	2112	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2152 wrote to memory of 2016	2152	joozk.exe	ydysl.exe
PID 2152 wrote to memory of 2016	2152	joozk.exe	ydysl.exe
PID 2152 wrote to memory of 2016	2152	joozk.exe	ydysl.exe
PID 2152 wrote to memory of 2016	2152	joozk.exe	ydysl.exe

C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
"C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\joozk.exe
  "C:\Users\Admin\AppData\Local\Temp\joozk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\ydysl.exe
    "C:\Users\Admin\AppData\Local\Temp\ydysl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8ea4423a847b146a107fe9decf920b20

SHA1
3f20f309fe0c8f7f982820a018655276a6dba841

SHA256
9f07da084a4e9d8fb2716988a84f4f2f7e5e9f3068e5399503baaa8780517374

SHA512
afcbf286839811a850271ea186df37b0b8f6c342d832f856af07ca0f17b0dcd5546e99fe91800bb661a5a1bee904139d44a384ed771678a9566a5b4b50bd4b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bc8360cf5e01abdda20d146ef64bfb54

SHA1
c4c5e9349314e6dde30a95a984ae3ebd6766857c

SHA256
6f3f53dee6a41c7665411faf0d9ac53bd1d1d604864c4af99ccde5267d93de17

SHA512
01aba5eab4908134f2a7fd16dae374b665a5fd22fb9d21e0d36572c7ec4806ba86ac7a28caa5aab3c8089b1afc82de132d3334eebbe1b6dddb9e9c2d3ad6fc64

Download Submit
\Users\Admin\AppData\Local\Temp\joozk.exe

Filesize
332KB

MD5
f711d686cf7a22685fac3651d67e38a8

SHA1
ce5193bbc2156b1c6106a84f3be473850a280cc4

SHA256
9df77c4ff64e7386d0a364cab7269443df6f7ec7b43bc9b0f72a7d7442e6e989

SHA512
4955c9009000bfb0c07077d111f807a3c372c2ceef83279431013eeadf70817403033134a16c86f9829afd681e851296bd6b34438ffeb5060a45cd049c1327c0

Download Submit
\Users\Admin\AppData\Local\Temp\ydysl.exe

Filesize
172KB

MD5
5367ee97670a4a0a5dd3a63a8cb4204c

SHA1
b6aff08575fd95aaa67ead09452ff4a922044b95

SHA256
466a35aabc17fbbd9078b70c997a695af88c9c10da44724f24ab51b6b706e144

SHA512
915440ecdb62fec42dce835435c72656af8e18df0cef8b4913b7de794e406d1a69fc19cbb28a749cb465cfcd778e7a810d6e9ad11d25a22fac6a4e2c3bdfb1e5

Download Submit
memory/2016-49-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/2016-48-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/2016-43-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/2016-46-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/2112-21-0x0000000000380000-0x0000000000401000-memory.dmp

Filesize
516KB

Download
memory/2112-15-0x0000000002860000-0x00000000028E1000-memory.dmp

Filesize
516KB

Download
memory/2112-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2112-0-0x0000000000380000-0x0000000000401000-memory.dmp

Filesize
516KB

Download
memory/2152-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2152-24-0x0000000001260000-0x00000000012E1000-memory.dmp

Filesize
516KB

Download
memory/2152-18-0x0000000001260000-0x00000000012E1000-memory.dmp

Filesize
516KB

Download
memory/2152-39-0x00000000032F0000-0x0000000003389000-memory.dmp

Filesize
612KB

Download
memory/2152-42-0x0000000001260000-0x00000000012E1000-memory.dmp

Filesize
516KB

Download
memory/2152-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads