urelas | e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113

General

Target

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
Size

533KB
MD5

d0b820b8854a6713fa4ca98a72441157
SHA1

afd9ecb1355f66c507294bc3f7667e61dc902f69
SHA256

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113
SHA512

6712db2173af63d253b06af6ab58c193683ed970eb4c4ecb3cad4c9d8d69eb6591bc6c77ed8295957e5a7e15d4fa8f6a5e49c4779eb52b50038142be5e1f2d26
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3016	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

foobv.exenekiq.exe

pid	Process
2740	foobv.exe
2500	nekiq.exe

Loads dropped DLL 2 IoCs

Processes:

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exefoobv.exe

pid	Process
2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
2740	foobv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exefoobv.execmd.exenekiq.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foobv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nekiq.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

nekiq.exe

pid	Process
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe
2500	nekiq.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exefoobv.exe

description	pid	Process	procid_target
PID 2880 wrote to memory of 2740	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2880 wrote to memory of 2740	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2880 wrote to memory of 2740	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2880 wrote to memory of 2740	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	30
PID 2880 wrote to memory of 3016	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2880 wrote to memory of 3016	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2880 wrote to memory of 3016	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2880 wrote to memory of 3016	2880	e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe	31
PID 2740 wrote to memory of 2500	2740	foobv.exe	34
PID 2740 wrote to memory of 2500	2740	foobv.exe	34
PID 2740 wrote to memory of 2500	2740	foobv.exe	34
PID 2740 wrote to memory of 2500	2740	foobv.exe	34

C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
"C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\foobv.exe
  "C:\Users\Admin\AppData\Local\Temp\foobv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\nekiq.exe
    "C:\Users\Admin\AppData\Local\Temp\nekiq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7b52d06d75d584f893caa0360974f8bf

SHA1
d5a239225dfd50d20337283adcd31ae8ccf860c8

SHA256
43b69aee365c7c59018d2457e278dddaa48cabd8a32bb4f87ef707fa5addc371

SHA512
be019af072302252e89f38cc9457e7b36f792297b834d375be0ca595ae3a715fe2fa1f68fe0654c23e1288eb1c483b74defa680ab69c0e360083ae4b54429e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\foobv.exe

Filesize
533KB

MD5
298b33e9fbfdd05ced5755872ad414e2

SHA1
f113e6ce318e311392e0a23526613b90883aef43

SHA256
268906f5a2148e2703fa7121bc627ab1c7b0127978ece0400c515b999de6d39d

SHA512
a19fc141b7da774cfc5b16c9a804f3e4c720aff12ece0d81956c49af4c5fdaeae140b55ba8421f24dec3e871eb651f07adaa8e94c10a900960db34aca9c494ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
31d3915f2e4d771a1dab96b47e6edb36

SHA1
f1ab284807b2f99850231f60d689f5f9b79af3a0

SHA256
b840067886d2c992385bc591aa8a88746d762041ddcb7ca8d7e1b0282463f094

SHA512
3f9d905fef4b8b729ac2ff317e7d118b5f03b2e2e6926f9b36fd1e99de93913d492c2d11feba829601fd97904121b70bebb8bd45aaa5c5a05fed84e92fec2293

Download Submit
\Users\Admin\AppData\Local\Temp\nekiq.exe

Filesize
236KB

MD5
0ee71cf622647a69db8e6a9b9282204f

SHA1
e55110c6dca34fdd9d47e322535fa50d37609d9b

SHA256
a0c9767b798adf0b61917fac99b8a85dfc7ed07fc53a8bf332e0b1feb3d8cbae

SHA512
aad469b2559f213f09148b28200f27173eb0bdba6c3d5aff0bf43c3e0f41c8f8f99209cc32cdfe919ab9c4d8a36ed9f41fdc0d7d5f3863f5deb820f8a9dc4830

Download Submit
memory/2500-30-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/2500-32-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/2500-33-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/2740-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2740-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2740-27-0x0000000003670000-0x0000000003713000-memory.dmp

Filesize
652KB

Download
memory/2740-29-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2880-16-0x0000000002630000-0x00000000026BC000-memory.dmp

Filesize
560KB

Download
memory/2880-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2880-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads