urelas | c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46

General

Target

c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
Size

690KB
MD5

f8781a2b82f220ca4ddbc4aa5c09902a
SHA1

817dc3e1e91c13a244feafbd7cfe97020d170ab6
SHA256

c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46
SHA512

046b33a6024b265eafee8ea1997acf07467904e5f2422e5e662e8def4ea896ba1928b82e96fc391fd2c1ef8eddbff2efa0fb786fc608d2a308959182db59e12a
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nA:dVh6gl6Iy8R9+ZdnnP94jpgl9BnA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1776	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

emgen.exexypuem.exepeqos.exe

pid	Process
2956	emgen.exe
2768	xypuem.exe
1660	peqos.exe

Loads dropped DLL 5 IoCs

Processes:

c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exeemgen.exexypuem.exe

pid	Process
1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
2956	emgen.exe
2956	emgen.exe
2768	xypuem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exeemgen.exexypuem.execmd.exepeqos.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emgen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xypuem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peqos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

peqos.exe

pid	Process
1660	peqos.exe
1660	peqos.exe
1660	peqos.exe
1660	peqos.exe
1660	peqos.exe
1660	peqos.exe
1660	peqos.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exeemgen.exexypuem.exe

description	pid	Process	procid_target
PID 1980 wrote to memory of 2956	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	31
PID 1980 wrote to memory of 2956	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	31
PID 1980 wrote to memory of 2956	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	31
PID 1980 wrote to memory of 2956	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	31
PID 1980 wrote to memory of 1776	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	32
PID 1980 wrote to memory of 1776	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	32
PID 1980 wrote to memory of 1776	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	32
PID 1980 wrote to memory of 1776	1980	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	32
PID 2956 wrote to memory of 2768	2956	emgen.exe	34
PID 2956 wrote to memory of 2768	2956	emgen.exe	34
PID 2956 wrote to memory of 2768	2956	emgen.exe	34
PID 2956 wrote to memory of 2768	2956	emgen.exe	34
PID 2768 wrote to memory of 1660	2768	xypuem.exe	35
PID 2768 wrote to memory of 1660	2768	xypuem.exe	35
PID 2768 wrote to memory of 1660	2768	xypuem.exe	35
PID 2768 wrote to memory of 1660	2768	xypuem.exe	35
PID 2768 wrote to memory of 624	2768	xypuem.exe	36
PID 2768 wrote to memory of 624	2768	xypuem.exe	36
PID 2768 wrote to memory of 624	2768	xypuem.exe	36
PID 2768 wrote to memory of 624	2768	xypuem.exe	36

C:\Users\Admin\AppData\Local\Temp\c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
"C:\Users\Admin\AppData\Local\Temp\c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\emgen.exe
  "C:\Users\Admin\AppData\Local\Temp\emgen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\xypuem.exe
    "C:\Users\Admin\AppData\Local\Temp\xypuem.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\peqos.exe
      "C:\Users\Admin\AppData\Local\Temp\peqos.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
8bd75e61ee755abf59bcdaa5fc9fe36a

SHA1
b362569fff24d70418500d360df221690aeeee1a

SHA256
f0d21d371f83cdb0a667db4a30f2da9f48236a6efed5f044dc67ad0b7e3b27f0

SHA512
13c399bdfa8ab7563b00ecc02ab004e25a4818248623f27bd3579aff4476d0c14ed6961778379ba87cf2faaed24dad719f67501ee80e4cbc39286c8e8b86f19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
581c8e3e21579ce5784f9813bcb21ed9

SHA1
44708e0a558dd19fd243eed19a1195926163a0fc

SHA256
3ad4ea92b481f0f8a353c24b94545031aa220eda72748e592810cba704900c97

SHA512
913653fc2fd9fc142797c5427dc18b748073f6772e342d0014665d143839898a599d0267da33b492e2fc7ea98d09aab2143951bdecef8e2a9ae89c790b975850

Download Submit
C:\Users\Admin\AppData\Local\Temp\emgen.exe

Filesize
690KB

MD5
9bedab85e66f98e56b866232a3db2377

SHA1
3bd93360545ba0c76c50090d8d3b71c490a0370b

SHA256
cb5950447c9b2c1f6ee6ba71f2068d5abf2990c6dd11da5340e8028843c5bdd8

SHA512
5574371d10bedcfd6c5f4c28d54dc15efeb183deed99e6012f465c4471fbdf657de1fd413e2febd9db6b48bc1e73ca7833d9b5bb968887da938d0e9200993a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7dc41d33116a7b57633abb54fd560233

SHA1
8a23690e6fb0c268d092f3b8aa581a8427031efd

SHA256
00dd5dfbc1271f19314558690dba31f726b146237b71865407978c175d7c9342

SHA512
a3bdf57a5d61378c618f10ce0f522114b355ec28cce02cef68d91768c982f22202eb97b997cfe2e89de98c80386b88461a4d91761ce310afe3e48f876d66dd33

Download Submit
\Users\Admin\AppData\Local\Temp\peqos.exe

Filesize
469KB

MD5
45c46a708607646c54ca3106e4903adc

SHA1
1ea44180a30527f405188b8dbc8eca2a3cde762d

SHA256
734fea399eb3a3cc4faa860889a0c618f55d12009e31c604b516b5f59d6b93c8

SHA512
94b0443248bb81afd977329f9c88ddc003f420d2305699f6a229d209a458bd10596667c6284f405a79416c3072fb74186cf459a651d4745597debc8d95538d78

Download Submit
memory/1660-54-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1660-58-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1980-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1980-1-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1980-12-0x00000000024C0000-0x0000000002573000-memory.dmp

Filesize
716KB

Download
memory/1980-11-0x00000000024C0000-0x0000000002573000-memory.dmp

Filesize
716KB

Download
memory/2768-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2768-42-0x0000000003CA0000-0x0000000003E36000-memory.dmp

Filesize
1.6MB

Download
memory/2768-53-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2956-22-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2956-33-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads