urelas | 1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3

General

Target

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
Size

450KB
MD5

536da247a62bf70f370825f5cdf58b99
SHA1

a5a3655d28c08d38c72b8ad71859b14f1661ffc9
SHA256

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3
SHA512

0d675bde335e7ea5765ef011ed5c428424a7b0720a3a71c403305cd0aada8a8f58bdaf277a976d9eeecd86f2e773aec81b6802e2eeaefbc4052722540187374a
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTA:CMpASIcWYx2U6hAJQnx

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2304	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

hukyi.exewuzute.exewuhil.exe

pid	Process
2208	hukyi.exe
2312	wuzute.exe
1644	wuhil.exe

Loads dropped DLL 3 IoCs

Processes:

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exehukyi.exewuzute.exe

pid	Process
2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
2208	hukyi.exe
2312	wuzute.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wuzute.execmd.exewuhil.execmd.exe1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exehukyi.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuzute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuhil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hukyi.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

wuhil.exe

pid	Process
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe
1644	wuhil.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exehukyi.exewuzute.exe

description	pid	Process	procid_target
PID 2384 wrote to memory of 2208	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	30
PID 2384 wrote to memory of 2208	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	30
PID 2384 wrote to memory of 2208	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	30
PID 2384 wrote to memory of 2208	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	30
PID 2384 wrote to memory of 2304	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	31
PID 2384 wrote to memory of 2304	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	31
PID 2384 wrote to memory of 2304	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	31
PID 2384 wrote to memory of 2304	2384	1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe	31
PID 2208 wrote to memory of 2312	2208	hukyi.exe	33
PID 2208 wrote to memory of 2312	2208	hukyi.exe	33
PID 2208 wrote to memory of 2312	2208	hukyi.exe	33
PID 2208 wrote to memory of 2312	2208	hukyi.exe	33
PID 2312 wrote to memory of 1644	2312	wuzute.exe	35
PID 2312 wrote to memory of 1644	2312	wuzute.exe	35
PID 2312 wrote to memory of 1644	2312	wuzute.exe	35
PID 2312 wrote to memory of 1644	2312	wuzute.exe	35
PID 2312 wrote to memory of 1160	2312	wuzute.exe	36
PID 2312 wrote to memory of 1160	2312	wuzute.exe	36
PID 2312 wrote to memory of 1160	2312	wuzute.exe	36
PID 2312 wrote to memory of 1160	2312	wuzute.exe	36

C:\Users\Admin\AppData\Local\Temp\1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe
"C:\Users\Admin\AppData\Local\Temp\1c090372856b7b3074df1c2259707d1d3a23a08f02c1ce30ed79ccbb1975d7e3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\hukyi.exe
  "C:\Users\Admin\AppData\Local\Temp\hukyi.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\wuzute.exe
    "C:\Users\Admin\AppData\Local\Temp\wuzute.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\wuhil.exe
      "C:\Users\Admin\AppData\Local\Temp\wuhil.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
80c5edf3402cf1d19d0135465a29d096

SHA1
74100d6e70e39e5341f881b4158312115a43f782

SHA256
be89dc01e22ad6678bc067dd145a7e1e1155f9764ad3b1a30175ff207c0ac9fa

SHA512
e5205133f2b77585a6cdde93fb083aa5ffa4758ca82ed9fb8ce86ffe9d3cf56b2cace8909ad889b4be35e46a4baa4e6118d5a0db0a909246c7e62f412497836b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a4170b7bba2c039c4c61ff1a139acb24

SHA1
37f5c63644e770d7efc26082c57644c71b1ceda1

SHA256
9b629bd24b0b9de40ca4fb48e78ae2dd42dafe0fa8c5145b98b9a67b85d0f133

SHA512
e853f281eb1aa98dc2a1ec485a463e2eca3c266c7f9d9cb2c9511723c735abee428b1edf0775999cd41168d26ea42345ad4162f6d34af5cfdc1607c0024a3db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7502022d1727b2fd9505fa5c3425c65f

SHA1
0afb43a6662f5a7515c8bc95e64d271bc3db54b1

SHA256
e3dad81858a1798a8285aaaf0e90806c6eaf219f7e2f19bd0a037812c1aed034

SHA512
d903a1ff7faf8185680596257247d564093fb13ce22c727265e4c17f5ee83595de04744e641a2c0a8e728ea346f9e4c9e286a08ca9651b798978cd3e19f9e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuhil.exe

Filesize
223KB

MD5
17c34ba2c7a575a423a2c4b0bab881ef

SHA1
74cf910140cec2c8b9df80dbe7f6d313bff88d7e

SHA256
8db1ed1f4ce13aa0c7c91deeeb45905701c21d1af91ee4073e6b530250b093bd

SHA512
0ee2766276b656c2b6c4b3ce6f41aa9496855c25700a602fb1f529ccd3b4c2e6f8be7189f3acf90ce06e213cc274d9b781de50e08bfb2e6b7d1161257f4d7ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuzute.exe

Filesize
450KB

MD5
547f2791af9655a9092236423896ca19

SHA1
85714c92c9a0a6c2d4df5303c5d00f71373ce2ee

SHA256
363f82f04155c565a64b79c872920423022384618a465a79cf5ee51ad8f8cab5

SHA512
9d59e964497aacd0e67e79c5c7a418ac87c7aefd6816ab6c9d3768d0410ff8fbe8479435109d93c7875fdaa27d5c45464c1bfc44f83e7d26d1a7e1dbdc84d251

Download Submit
\Users\Admin\AppData\Local\Temp\hukyi.exe

Filesize
450KB

MD5
b2e4c7394fdc83ab8d0cd7c2eeaf0e7d

SHA1
372f155539a88c1bf7d1c583e300047979aed4da

SHA256
24493b93832ec0af0dc03da3b5b25957e98bab967a10c41248af15f9dad80217

SHA512
101b283d179bfd7e628216be1dc60a89fbf601b6c55d14f9bd6c6409733af22d4c71d330bdbe4dd5e7ec137a749a5293e26b70a98693e4bb7fa1e83c96f509e4

Download Submit
memory/1644-50-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/1644-49-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/1644-45-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/2208-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2208-25-0x0000000003650000-0x00000000036BE000-memory.dmp

Filesize
440KB

Download
memory/2208-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2312-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2312-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2384-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2384-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads