urelas | 76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bc

General

Target

76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe
Size

335KB
MD5

1994411db2a21790dc2895b8ad664790
SHA1

2c43b49f603134d83d3a2214bc8b4e2246903606
SHA256

76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bc
SHA512

f4e000122fc2be4e5a2701fde16a0ce3b3f722a26d9bbf8a70b19be81dd6f85f4c5733c6ca7ddc719c2e34c33899e5440149d36e48aff63f86ddddac78b7187f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYwL:vHW138/iXWlK885rKlGSekcj66ciVL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2316	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

jaati.exeuqdew.exe

pid	Process
2996	jaati.exe
1740	uqdew.exe

Loads dropped DLL 2 IoCs

Processes:

76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exejaati.exe

pid	Process
2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe
2996	jaati.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeuqdew.exe76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exejaati.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqdew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaati.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

uqdew.exe

pid	Process
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe
1740	uqdew.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exejaati.exe

description	pid	Process	procid_target
PID 2400 wrote to memory of 2996	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	30
PID 2400 wrote to memory of 2996	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	30
PID 2400 wrote to memory of 2996	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	30
PID 2400 wrote to memory of 2996	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	30
PID 2400 wrote to memory of 2316	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	31
PID 2400 wrote to memory of 2316	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	31
PID 2400 wrote to memory of 2316	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	31
PID 2400 wrote to memory of 2316	2400	76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe	31
PID 2996 wrote to memory of 1740	2996	jaati.exe	34
PID 2996 wrote to memory of 1740	2996	jaati.exe	34
PID 2996 wrote to memory of 1740	2996	jaati.exe	34
PID 2996 wrote to memory of 1740	2996	jaati.exe	34

C:\Users\Admin\AppData\Local\Temp\76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe
"C:\Users\Admin\AppData\Local\Temp\76cb6893f5462623a527d0aa8e71f2eb1f68623ae9c5ce7b28b091043e8dc3bcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\jaati.exe
  "C:\Users\Admin\AppData\Local\Temp\jaati.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\uqdew.exe
    "C:\Users\Admin\AppData\Local\Temp\uqdew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f4841529eb3c6784bba677dc9e2f2f81

SHA1
cddb0f10e10355192e1c5cd04c5a5502cbecea9e

SHA256
8c88be8f914f78e8b1da1fc305af56a359eb0f212062f55659a00dc96f650da1

SHA512
cdb66869560b0115ad341e5aab15b3b48c004fadab54bbc39daa0395caf7deae599cc681aaee6bd39157c92bdcea2068dd918e4cc3a07f83d4bef37ac160982b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2465d148a8676ea3b57cc7029b45413e

SHA1
8ac06e4d6e7b8cdf15fbaf6925a6c7473fa63e41

SHA256
9aa0e0d362ff38a767da3f0e2b71d98fce0925aab92f268e2f3259ff851506ff

SHA512
d9857292f2ac6ed5f96837ff44625ae54aaa1cd372b6dce9938e666a0a949c33bb8c9c4f92c492d95793e224941a8ed0567915b150f018c8074401bdcc4377b7

Download Submit
\Users\Admin\AppData\Local\Temp\jaati.exe

Filesize
335KB

MD5
9620fe6555e7bc4636925900659ab76d

SHA1
0ebde76e90fc57bab9721c41db43004125a07b5f

SHA256
07163689b4527832f1205bb9712b0af65ee6c5f716bac8386636f7df8907efdf

SHA512
1763be9c1c797562b66da1a831c4494df542cd09fe4b193ee1d9dee1b015ef2e40bbe0179ef1fdb54326c23594a8bfe4772b5eb29d3de38768e8137d887f1397

Download Submit
\Users\Admin\AppData\Local\Temp\uqdew.exe

Filesize
172KB

MD5
b6f75386374e0c08e21ff47289b60242

SHA1
c6a815d4650fc5bd001cf153c6658a3cc4505a11

SHA256
13317ec1e6892364c8f3cbd106a8476ef05085afb468a740d317352082bab9a8

SHA512
07e4f785ff667234e33378f4cc9c02be6c1ea8e3797974e938f56842b691c3ea26d3c23c96abf49afa2356c2256c4bb4f9b1eb0dfc82bd1a186960df86507e7e

Download Submit
memory/1740-42-0x0000000000FC0000-0x0000000001059000-memory.dmp

Filesize
612KB

Download
memory/1740-48-0x0000000000FC0000-0x0000000001059000-memory.dmp

Filesize
612KB

Download
memory/1740-47-0x0000000000FC0000-0x0000000001059000-memory.dmp

Filesize
612KB

Download
memory/1740-45-0x0000000000FC0000-0x0000000001059000-memory.dmp

Filesize
612KB

Download
memory/2400-0-0x00000000009F0000-0x0000000000A71000-memory.dmp

Filesize
516KB

Download
memory/2400-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2400-19-0x00000000009F0000-0x0000000000A71000-memory.dmp

Filesize
516KB

Download
memory/2400-17-0x00000000024D0000-0x0000000002551000-memory.dmp

Filesize
516KB

Download
memory/2996-24-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download
memory/2996-41-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download
memory/2996-37-0x00000000031C0000-0x0000000003259000-memory.dmp

Filesize
612KB

Download
memory/2996-20-0x0000000000B80000-0x0000000000C01000-memory.dmp

Filesize
516KB

Download
memory/2996-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads