urelas | b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947

General

Target

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
Size

546KB
MD5

b3b4c5ef066d864835569193e4962ae0
SHA1

195006e7f4633c904ae7a39b4ac04416ff20ea34
SHA256

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947
SHA512

7ebd44fd19ba04d7ff935e2e5a37800cdc3126d87d0e32240ed9e04220ec87f00b7cbb6bfe590d4475f3c5d8b17f9475955362b2aba82b0fcefc529860da6f69
SSDEEP

6144:u2Kw7lwFXUEeJi2xVCVxfwY+0QSyvmZ3INALzT1uj65CT1i6iSyYQM0JiS83G48q:u+GtVfjTQSaoINAHT1VQ1i3SyQEW85gT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2148	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

xokaw.exeefevc.exe

pid	Process
2320	xokaw.exe
1000	efevc.exe

Loads dropped DLL 2 IoCs

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exexokaw.exe

pid	Process
1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
2320	xokaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exexokaw.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xokaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exexokaw.exe

description	pid	Process	procid_target
PID 1888 wrote to memory of 2320	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 1888 wrote to memory of 2320	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 1888 wrote to memory of 2320	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 1888 wrote to memory of 2320	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	30
PID 1888 wrote to memory of 2148	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 1888 wrote to memory of 2148	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 1888 wrote to memory of 2148	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 1888 wrote to memory of 2148	1888	b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe	31
PID 2320 wrote to memory of 1000	2320	xokaw.exe	34
PID 2320 wrote to memory of 1000	2320	xokaw.exe	34
PID 2320 wrote to memory of 1000	2320	xokaw.exe	34
PID 2320 wrote to memory of 1000	2320	xokaw.exe	34

C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
"C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\xokaw.exe
  "C:\Users\Admin\AppData\Local\Temp\xokaw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\efevc.exe
    "C:\Users\Admin\AppData\Local\Temp\efevc.exe"
    3⤵
    - Executes dropped EXE
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
dd7c8785f51046f83436243e0a873117

SHA1
c3e08b6fccf9cfec64a010daeb9e96c814dd01e2

SHA256
d9c0d798502cc36ff171743b250f65082e9e23e939b48006c5478e3ff362a5c8

SHA512
f8a80c63ad526eae7f0424db2439a88901f2aa8bfbcdf4a06bff4ff56c6dafcdaaf12a1524dee5d2885fd6b39f0ea2096789c4455cefc9e212e6833eb112dfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
566e4dac9cf0f1ca3375f734a5c900f2

SHA1
cc3aa39a857f13e641a8b407787b60389c92fac0

SHA256
0d57bee593f73524ac24a135c14be0a0d75be03c4c1f700b619ad0003b4d3521

SHA512
5af85b0eef0e6950d742595945ce27ea647b496f19e03fb87e09a65a40e23c9b2c6c3acae0c52b95b5822029426e2d916a84efb395ea161984145f6fe21ee5fd

Download Submit
\Users\Admin\AppData\Local\Temp\efevc.exe

Filesize
231KB

MD5
b195c581d0858fd6f018034d3186077c

SHA1
485d4b351c646297069d93842e26d47f4e73245c

SHA256
e5c74b4a866e98da4a8265594c25b0eae272197440457d8012e96f63a4de2d8f

SHA512
bb324044d412bbc2f7022ae52e0e3dbe9b9b9eedd6393ae5f6ce8f3f8247aec012a6b20a1d6fedb3771eeca61e38c26d2156bc7c4e7e8d0bfc4e960f3c5f166c

Download Submit
\Users\Admin\AppData\Local\Temp\xokaw.exe

Filesize
546KB

MD5
10f64594844456bdf1ca44fe754e75b3

SHA1
0781860938a438934ca5f9b65edd33c339038572

SHA256
7f7dc3f18dac4de6623cd1d1aedce4ab52d5a444b96d460d41684af9c33ae7b9

SHA512
d8b46bddef73396c49fd15e7791cc72beaa29c272d7bd0ca283850c27b936c42e10459691b0ccf6dc440cc2952812b04cfc45405f3b3cc8716afa71cde05d85d

Download Submit
memory/1000-30-0x0000000000030000-0x00000000000E3000-memory.dmp

Filesize
716KB

Download
memory/1888-0-0x0000000000970000-0x00000000009FF000-memory.dmp

Filesize
572KB

Download
memory/1888-14-0x00000000026D0000-0x000000000275F000-memory.dmp

Filesize
572KB

Download
memory/1888-18-0x0000000000970000-0x00000000009FF000-memory.dmp

Filesize
572KB

Download
memory/2320-17-0x00000000012A0000-0x000000000132F000-memory.dmp

Filesize
572KB

Download
memory/2320-21-0x00000000012A0000-0x000000000132F000-memory.dmp

Filesize
572KB

Download
memory/2320-28-0x00000000012A0000-0x000000000132F000-memory.dmp

Filesize
572KB

Download
memory/2320-27-0x0000000000EB0000-0x0000000000F63000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads