urelas | b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947

General

Target

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
Size

546KB
MD5

b3b4c5ef066d864835569193e4962ae0
SHA1

195006e7f4633c904ae7a39b4ac04416ff20ea34
SHA256

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947
SHA512

7ebd44fd19ba04d7ff935e2e5a37800cdc3126d87d0e32240ed9e04220ec87f00b7cbb6bfe590d4475f3c5d8b17f9475955362b2aba82b0fcefc529860da6f69
SSDEEP

6144:u2Kw7lwFXUEeJi2xVCVxfwY+0QSyvmZ3INALzT1uj65CT1i6iSyYQM0JiS83G48q:u+GtVfjTQSaoINAHT1VQ1i3SyQEW85gT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2840	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

lyzus.exeqazix.exe

pid	Process
2848	lyzus.exe
1196	qazix.exe

Loads dropped DLL 2 IoCs

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exelyzus.exe

pid	Process
2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
2848	lyzus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exelyzus.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyzus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exelyzus.exe

description	pid	Process	procid_target
PID 2824 wrote to memory of 2848	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 2824 wrote to memory of 2848	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 2824 wrote to memory of 2848	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 2824 wrote to memory of 2848	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 2824 wrote to memory of 2840	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 2824 wrote to memory of 2840	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 2824 wrote to memory of 2840	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 2824 wrote to memory of 2840	2824	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 2848 wrote to memory of 1196	2848	lyzus.exe	34
PID 2848 wrote to memory of 1196	2848	lyzus.exe	34
PID 2848 wrote to memory of 1196	2848	lyzus.exe	34
PID 2848 wrote to memory of 1196	2848	lyzus.exe	34

C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
"C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\lyzus.exe
  "C:\Users\Admin\AppData\Local\Temp\lyzus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\qazix.exe
    "C:\Users\Admin\AppData\Local\Temp\qazix.exe"
    3⤵
    - Executes dropped EXE
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
dd7c8785f51046f83436243e0a873117

SHA1
c3e08b6fccf9cfec64a010daeb9e96c814dd01e2

SHA256
d9c0d798502cc36ff171743b250f65082e9e23e939b48006c5478e3ff362a5c8

SHA512
f8a80c63ad526eae7f0424db2439a88901f2aa8bfbcdf4a06bff4ff56c6dafcdaaf12a1524dee5d2885fd6b39f0ea2096789c4455cefc9e212e6833eb112dfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a7194c94607d7efb3524b9219e07b5f3

SHA1
5efe01e16c4a529f9d7f58b1eef89061d4d07902

SHA256
a99715053975a3eef49b9f26efd80a1277a41fa00cb8a008074a98af06b55622

SHA512
51ff7701d35a9354fefd7cc8c17385be80187e9f363101d0b7383549c57ec69fe50bdd30b4b2c432fb0224208a208e3560e90fa4e0218da06dea82d0c3b27a13

Download Submit
\Users\Admin\AppData\Local\Temp\lyzus.exe

Filesize
546KB

MD5
8f7409b42a82fabaa2c2c29ba175d298

SHA1
d1f3130f42fba5cba259fc855a8a856f7c587281

SHA256
a679f5e9a60ec23df75189d8a607f9be4e17f46835b34a06ac9a925fab232099

SHA512
dbb2b56c99fd617b94ec525087458ffe72e0e11ea4c6c2c6e82da948c58cbc1e1ae9ac74ca196532ae47d79a87460edeb3c77e2d2b5c4bd2fedd9fcd282c8897

Download Submit
\Users\Admin\AppData\Local\Temp\qazix.exe

Filesize
231KB

MD5
9b2947cc6e72131895cd89009ff051d0

SHA1
dcc4a9cdd3c1535ef2527d9582c23de8a1626fa0

SHA256
69ead9f2fc4cd023c710c79b96835ebdfc1d887cf2fcbd31a43691cbb0d3c7ce

SHA512
68ec6750a32969f19c3c5d88e30ce61aa644c70fb297eb8001230679e1f001a937642f94ef1308fdc4d7fb3c93c156941ec6613ee333b0537a98de038caab0bd

Download Submit
memory/1196-30-0x00000000012F0000-0x00000000013A3000-memory.dmp

Filesize
716KB

Download
memory/2824-0-0x0000000000940000-0x00000000009CF000-memory.dmp

Filesize
572KB

Download
memory/2824-8-0x0000000002580000-0x000000000260F000-memory.dmp

Filesize
572KB

Download
memory/2824-18-0x0000000000940000-0x00000000009CF000-memory.dmp

Filesize
572KB

Download
memory/2848-10-0x0000000000340000-0x00000000003CF000-memory.dmp

Filesize
572KB

Download
memory/2848-21-0x0000000000340000-0x00000000003CF000-memory.dmp

Filesize
572KB

Download
memory/2848-29-0x0000000000340000-0x00000000003CF000-memory.dmp

Filesize
572KB

Download
memory/2848-27-0x0000000003F40000-0x0000000003FF3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads