urelas | 0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3

General

Target

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
Size

403KB
MD5

d1c773e84eeb50f6b2964cc7d94b6fdf
SHA1

e78828b1a72b9025538dd7ee15efdff12939576e
SHA256

0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3
SHA512

c3c9c4aa3a7a3bb896f4939531a9f810fea888db2534ec8fb99ba4522ac283806494f92c2b2feacaa711b8e1dd1b0c5e8da2f59dfdd4d7e6cc92cbf38712e4a4
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnOA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1856	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2356	devoz.exe
2720	tituas.exe
2680	curov.exe

Loads dropped DLL 5 IoCs

pid	Process
2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
2356	devoz.exe
2356	devoz.exe
2720	tituas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tituas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe
2680	curov.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2356	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2184 wrote to memory of 2356	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2184 wrote to memory of 2356	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2184 wrote to memory of 2356	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	30
PID 2184 wrote to memory of 1856	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2184 wrote to memory of 1856	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2184 wrote to memory of 1856	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2184 wrote to memory of 1856	2184	0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe	31
PID 2356 wrote to memory of 2720	2356	devoz.exe	33
PID 2356 wrote to memory of 2720	2356	devoz.exe	33
PID 2356 wrote to memory of 2720	2356	devoz.exe	33
PID 2356 wrote to memory of 2720	2356	devoz.exe	33
PID 2720 wrote to memory of 2680	2720	tituas.exe	35
PID 2720 wrote to memory of 2680	2720	tituas.exe	35
PID 2720 wrote to memory of 2680	2720	tituas.exe	35
PID 2720 wrote to memory of 2680	2720	tituas.exe	35
PID 2720 wrote to memory of 2672	2720	tituas.exe	36
PID 2720 wrote to memory of 2672	2720	tituas.exe	36
PID 2720 wrote to memory of 2672	2720	tituas.exe	36
PID 2720 wrote to memory of 2672	2720	tituas.exe	36

C:\Users\Admin\AppData\Local\Temp\0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe
"C:\Users\Admin\AppData\Local\Temp\0d01d9e0a15de1f5997f36af6ac862b6405a572c15a42bb3b918345b881687a3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\devoz.exe
  "C:\Users\Admin\AppData\Local\Temp\devoz.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\tituas.exe
    "C:\Users\Admin\AppData\Local\Temp\tituas.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\curov.exe
      "C:\Users\Admin\AppData\Local\Temp\curov.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
5e07627bd48d6e730d4dbda681df74bb

SHA1
4d1a4b684280a71623adc893bd02ed41e9f9d445

SHA256
f0e523e29b75bc91b757caefbb3d38deea6856e9f6633d43d8bd98ade1ac2607

SHA512
9fe75795bd34d09828d5c7ba54c980a7d21b815c4a286aff2979726ff4c46c5a5edde24d305a2876cab833c4b20e1a6d23ceaa9544473395f50e86e463684e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f872bbd109c3e2870b1aed20a56206a0

SHA1
cd1334140a8ee8310a29dc89f0de8d6a4b5ee693

SHA256
dd2344ea29304dd2cad788455fa6b940961f99b3e445ae2a2725606a471f866c

SHA512
35b316fae49281fb9a01d54439a237bdd7cfa1ed252ea61963574f64b8fa3358a780cd6c4e14b1d98a82c0012bc566a46f28ad9fa3e8592d1e68fd7b23712b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\devoz.exe

Filesize
403KB

MD5
a40087ff8c2ed3b6248486b916c6b17f

SHA1
1f59d735c75ebf065363c5f331dc45c939a4e331

SHA256
cf726241e73ee7a54873eb930929db1d6c0342c763762ca379e0106b97671ec6

SHA512
971695f12bb6e58530e31b7a93f302fa619fcba86b12bae470f1067d858991149c03a07dfb1efb539eca2d274447d2df49327d4dea75b3ebcb22d493b170f9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
729871eef48ea9d7dfecd781959b8846

SHA1
5319cd2624884ad44ba112b5d6cc2efd383961e3

SHA256
e6004ba7877f7be6d8e87192a58844b9a25709ebfa0bb24d6292764241b43875

SHA512
651d1182be8c1e758adfb4c4e281e4e79dc2080272dfc58748ecb4f3ca5932f4780fdc57618d10b69a96b3067afcb6db74a6f126dd6e75fa1d6f6d8ba605fdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tituas.exe

Filesize
403KB

MD5
33c752559520dee5ec4b8e06d90f08a8

SHA1
13cb743dccd54fc2244d924a3c3ee9594bde9d9f

SHA256
4858eda876303f1bb07f49b974d45b8f840c8e908b21e0b9adc933916d0db942

SHA512
0681998a421716c33556f23765a6c5f0b96516ac07b453f70914fef04ac51d7feaaf372d43ef42b09b6f52e1f1219935922dc2e6cf8718ef2bcc3e5378d1f37b

Download Submit
\Users\Admin\AppData\Local\Temp\curov.exe

Filesize
223KB

MD5
dcafaa918eed6272b6396c5ca482c481

SHA1
a276ae9b1c9b6b577738add28a66c73068291bcd

SHA256
3c6c7c65d8fe56a45a61596ac03561fb3c059dce2ded747feb42842908bf12d4

SHA512
7d500605d3c96539fae1933dffaed29a892eae955cc6a14ed534c100680aa1faebe1d86fcf1e75dacd7713867c8197831c02aa1e7af0abda55671ef988235a6c

Download Submit
memory/2184-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2184-20-0x00000000024F0000-0x0000000002558000-memory.dmp

Filesize
416KB

Download
memory/2184-19-0x00000000024F0000-0x0000000002558000-memory.dmp

Filesize
416KB

Download
memory/2184-21-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2356-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2356-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2680-58-0x00000000013A0000-0x0000000001440000-memory.dmp

Filesize
640KB

Download
memory/2680-59-0x00000000013A0000-0x0000000001440000-memory.dmp

Filesize
640KB

Download
memory/2680-54-0x00000000013A0000-0x0000000001440000-memory.dmp

Filesize
640KB

Download
memory/2720-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2720-52-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2720-53-0x00000000032B0000-0x0000000003350000-memory.dmp

Filesize
640KB

Download
memory/2720-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing