urelas | 03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865

General

Target

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
Size

537KB
MD5

cd8f8d72550c4fc793b2da453251ae5a
SHA1

7856e981408deea7ff865db131f03b7417175c38
SHA256

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865
SHA512

815d0a545504969a977aea9c6c976532275344a5f556cabe57f4a5f683fd02054f54fe01cd1d77412f25edd254363fdb3f24d47282529a1d80cf7de438e4e8fb
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP3:q0P/k4lb2wKat3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2996	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

jyhou.exesumoe.exe

pid	Process
2456	jyhou.exe
2120	sumoe.exe

Loads dropped DLL 2 IoCs

Processes:

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exejyhou.exe

pid	Process
2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
2456	jyhou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exejyhou.execmd.exesumoe.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyhou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sumoe.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

sumoe.exe

pid	Process
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe
2120	sumoe.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exejyhou.exe

description	pid	Process	procid_target
PID 2348 wrote to memory of 2456	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 2348 wrote to memory of 2456	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 2348 wrote to memory of 2456	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 2348 wrote to memory of 2456	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	31
PID 2348 wrote to memory of 2996	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	32
PID 2348 wrote to memory of 2996	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	32
PID 2348 wrote to memory of 2996	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	32
PID 2348 wrote to memory of 2996	2348	03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe	32
PID 2456 wrote to memory of 2120	2456	jyhou.exe	34
PID 2456 wrote to memory of 2120	2456	jyhou.exe	34
PID 2456 wrote to memory of 2120	2456	jyhou.exe	34
PID 2456 wrote to memory of 2120	2456	jyhou.exe	34

C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
"C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\jyhou.exe
  "C:\Users\Admin\AppData\Local\Temp\jyhou.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\sumoe.exe
    "C:\Users\Admin\AppData\Local\Temp\sumoe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
37dac236676a663a57ed8089ca8225f7

SHA1
0a5b5119067a9dcb2a19f3b0a1732527c857e664

SHA256
b9130b9721de831ae89992a64bef70d6d7561403b4f45903c8f534da6cebf059

SHA512
bfbb2da2f9d9929105308462d60c1ba9e3fe1819d89e8f216744a68baf9fcee225eb9bf1efcaad6d46a6dc2bd7ab55649756d48705105efac2fad4942746ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ca3a9e92e713dc3d112b7fcacf89120

SHA1
48d4fd206ef88c8b8d0b9cdbdf94992dd4509cf5

SHA256
ae03efcee604876acb0124ae508e1e4f8634720269ad1cce11d7f6398a5b4862

SHA512
450dda466ba60887b7dbb9a457aa000d42dcf124ad7ba77b07e00629dde774dad6c59584cb82b5fe0063dd7dbf84c2fc21a80e079b2009fd8cf937708ed1817d

Download Submit
\Users\Admin\AppData\Local\Temp\jyhou.exe

Filesize
537KB

MD5
502819aa822425e29edaca4c88e8addf

SHA1
f917ed9db7846298cfb47cbdb7442eefff6ec6ee

SHA256
97755df2291f751bef376d4e2dea738786ec9e352ce385472da544c04a880ae6

SHA512
3ecea3beb16c73c6bd147628b97785203c09b6b7011323c7ba50c06e65e394832346118a457a74a968c22831d6b5d7e1913ee30d53edae5cc9f149462463ca29

Download Submit
\Users\Admin\AppData\Local\Temp\sumoe.exe

Filesize
236KB

MD5
52aafe5c592727617ba4b7f3bea4b3f5

SHA1
1f4cf42b14b945dae9b7868dab16885375085ad1

SHA256
5e508070ba4477f1e33cbba02447cac11aee8eb868a2ba357d46e418db1bc2a1

SHA512
8640933be9ee9913cc311d901a67b5eaaef1042713354b473e25024af263e6abe82dff6f252ab6dbe169a7913fce1ed1e5b85c1cf3827dd7c58e18707106cd2a

Download Submit
memory/2120-28-0x0000000001160000-0x0000000001203000-memory.dmp

Filesize
652KB

Download
memory/2120-30-0x0000000001160000-0x0000000001203000-memory.dmp

Filesize
652KB

Download
memory/2120-31-0x0000000001160000-0x0000000001203000-memory.dmp

Filesize
652KB

Download
memory/2348-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2348-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2456-19-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2456-24-0x0000000003AA0000-0x0000000003B43000-memory.dmp

Filesize
652KB

Download
memory/2456-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads