urelas | 8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6

General

Target

8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe
Size

453KB
MD5

7947f03b46684201c10f7db305d25e95
SHA1

5583dc3ca88e971ac3f063256198199b573e3a56
SHA256

8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6
SHA512

2451b3ef6677ae4f46d14c509cf39d030d5997f9f80cfa2eed9f2e08bb5208d01b2ff4364530686c192682622aa90826b3a7d46d8783f70fdbade284b1f75c02
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFD:CMpASIcWYx2U6hAJQn+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1988	lyvij.exe
2352	erdopi.exe
1856	osfoi.exe

Loads dropped DLL 3 IoCs

pid	Process
2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe
1988	lyvij.exe
2352	erdopi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyvij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erdopi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osfoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe
1856	osfoi.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1988	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	30
PID 2496 wrote to memory of 1988	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	30
PID 2496 wrote to memory of 1988	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	30
PID 2496 wrote to memory of 1988	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	30
PID 1988 wrote to memory of 2352	1988	lyvij.exe	31
PID 1988 wrote to memory of 2352	1988	lyvij.exe	31
PID 1988 wrote to memory of 2352	1988	lyvij.exe	31
PID 1988 wrote to memory of 2352	1988	lyvij.exe	31
PID 2496 wrote to memory of 3060	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	32
PID 2496 wrote to memory of 3060	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	32
PID 2496 wrote to memory of 3060	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	32
PID 2496 wrote to memory of 3060	2496	8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe	32
PID 2352 wrote to memory of 1856	2352	erdopi.exe	35
PID 2352 wrote to memory of 1856	2352	erdopi.exe	35
PID 2352 wrote to memory of 1856	2352	erdopi.exe	35
PID 2352 wrote to memory of 1856	2352	erdopi.exe	35
PID 2352 wrote to memory of 1844	2352	erdopi.exe	36
PID 2352 wrote to memory of 1844	2352	erdopi.exe	36
PID 2352 wrote to memory of 1844	2352	erdopi.exe	36
PID 2352 wrote to memory of 1844	2352	erdopi.exe	36

C:\Users\Admin\AppData\Local\Temp\8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe
"C:\Users\Admin\AppData\Local\Temp\8775518a90249fde425d9410e82d73fe76c2a9dbab4d7578f03af9d98f2d59b6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\lyvij.exe
  "C:\Users\Admin\AppData\Local\Temp\lyvij.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\erdopi.exe
    "C:\Users\Admin\AppData\Local\Temp\erdopi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\osfoi.exe
      "C:\Users\Admin\AppData\Local\Temp\osfoi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b9d9f14de3bc0177dbf35ff7437932d6

SHA1
95a8ff9f7ebc0ffede1e3f75e721567f13868010

SHA256
6410e47788731e84156baff5758f0cf9a261f60a6db2b35978930eda33c6277b

SHA512
6cb8ad58d0c1667934e9273fd11f6a556e6e1314d39e2eb9edb36764230771ea6c566c44c11d34148c3d607b6a8c17336ddf9849e6ade4846d4e6320fc1db17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2eecce35d996a6942b34e3fa0558429f

SHA1
37640a910e501a15d30731fbc8884ba3fd535cb7

SHA256
68c3176faf89dab26de21147df1855efbb0c8156e1beb19a33defdfd432b3f80

SHA512
c914dec9406fbf7437737cd3a31480c276bc97b22f9e9c9bc71faf69a50f85a3fd2d57a4f8738f4f8148a2be85c126652ef9b0ff826b326053e3063d09443a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\erdopi.exe

Filesize
454KB

MD5
6c82fa9badbe864233f6a34069844341

SHA1
7d4828ec05d31457f218d18452492070898f08ce

SHA256
72a88ddb13c70df7a316d0a674b8e83dfc27cb4f4b5793ee90c92a196be6f98a

SHA512
b4a2a98a081c9e465543c8867aef248be0f7fb0444a592a991af1bb1307a60966afa85e006a0e6c3b5ba1fde8f2f50c236da3d032302eca2e65878a4f4316ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
56395fdade1e272d778e3cc1265bb8ec

SHA1
3048e25d012c1000acf32fa775879ff0089e73dd

SHA256
5a991e1d3fee56afa05f74018564d32bca762f3ce050d91a8fac611037243e30

SHA512
ce03fb471705b3ad9678645a2be931c14e4937c0f4cea8dba777588d51ab590bc3f79b29bb92b3ec3622815b3ae642d6f8e8c2a61eaaaa8bca1135b1d9d67030

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyvij.exe

Filesize
453KB

MD5
307187bca90e054a7dd706f7475aa76a

SHA1
8cfbfa799f1a4bb8f4cce907cfdacaf402da2942

SHA256
da79c59e99cdee43577b5a53a1d62137609fe0052945263bd7b600788ccacbe5

SHA512
ae265b6f175addef9ad04f3879cd9899730c2d0d5c1170376879b27ce8d6586b2d22e30833d8f028d779f0dfda83cb6e275425d29ac1e2ddd4a22501567d7ba3

Download Submit
\Users\Admin\AppData\Local\Temp\osfoi.exe

Filesize
223KB

MD5
00d0775079782a589c99550daadb1b9a

SHA1
f3971f5d04fdf240cca5b3a614bf04405a4c2792

SHA256
9a1be75c90a7852b05fb780962966192da841ad18969ef118c9fa9e34ed85575

SHA512
f4e94fcfd44f0dffba06f993c7b253dc5aff266a3fd8ac04ffc364951fb05682b6a0295d090f9956234db1b5bee6aaacfceac019f46f28754a0f9231f207a21f

Download Submit
memory/1856-51-0x00000000012F0000-0x0000000001390000-memory.dmp

Filesize
640KB

Download
memory/1856-50-0x00000000012F0000-0x0000000001390000-memory.dmp

Filesize
640KB

Download
memory/1988-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1988-23-0x0000000003750000-0x00000000037BE000-memory.dmp

Filesize
440KB

Download
memory/1988-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2352-35-0x0000000003BA0000-0x0000000003C40000-memory.dmp

Filesize
640KB

Download
memory/2352-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2352-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2496-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2496-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2496-8-0x00000000021B0000-0x000000000221E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing