urelas | 914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04

General

Target

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Size

440KB
MD5

2fdc20c1e32fa67a507b5ffca485c8c2
SHA1

0b6d7cf42541f7127679a98c0e998349e15ee8f4
SHA256

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04
SHA512

7ae476b7952eb479c3b7931ed71a7cf2c9f0894f5ccff2ad130c327f5a8b91f18c49c892a0a723e3ba3bc53194a39a56f7e58dce1de0a85ba6a425d136afc01a
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjC:oMpASIcWYx2U6hAJQnr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1236	byujk.exe
2708	diruxy.exe
340	zyrya.exe

Loads dropped DLL 3 IoCs

pid	Process
1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
1236	byujk.exe
2708	diruxy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byujk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diruxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyrya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe
340	zyrya.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1236	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 1064 wrote to memory of 1236	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 1064 wrote to memory of 1236	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 1064 wrote to memory of 1236	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	30
PID 1064 wrote to memory of 2992	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	31
PID 1064 wrote to memory of 2992	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	31
PID 1064 wrote to memory of 2992	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	31
PID 1064 wrote to memory of 2992	1064	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	31
PID 1236 wrote to memory of 2708	1236	byujk.exe	33
PID 1236 wrote to memory of 2708	1236	byujk.exe	33
PID 1236 wrote to memory of 2708	1236	byujk.exe	33
PID 1236 wrote to memory of 2708	1236	byujk.exe	33
PID 2708 wrote to memory of 340	2708	diruxy.exe	35
PID 2708 wrote to memory of 340	2708	diruxy.exe	35
PID 2708 wrote to memory of 340	2708	diruxy.exe	35
PID 2708 wrote to memory of 340	2708	diruxy.exe	35
PID 2708 wrote to memory of 592	2708	diruxy.exe	36
PID 2708 wrote to memory of 592	2708	diruxy.exe	36
PID 2708 wrote to memory of 592	2708	diruxy.exe	36
PID 2708 wrote to memory of 592	2708	diruxy.exe	36

C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
"C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\byujk.exe
  "C:\Users\Admin\AppData\Local\Temp\byujk.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\diruxy.exe
    "C:\Users\Admin\AppData\Local\Temp\diruxy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\zyrya.exe
      "C:\Users\Admin\AppData\Local\Temp\zyrya.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
335337b9377ce25dc6f425bdb4710c04

SHA1
0e8d1b3a4625acfa3e90f192a756b9bd3cf2b459

SHA256
ecde50a9f50d9d109ba4263d4256a708da68f8c57f2354c35c5243df3fb35d98

SHA512
88e01ba11170f66387d77a4c558945845e6255a74f41da7a9c3ff1fa37d8ce7d6e13113e70a6546a56ad46e17da9d806c8e3c3b63308f865a90badabdc9a601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
af25523d63f434cc0238cbd374e91def

SHA1
a658e6ef967b8c5455900227c435335e703ac4ea

SHA256
3b795840e99860c22696717dce62f7101e8272d80b157be0be56e5849c0f82d7

SHA512
cb14a7734bcf6c76d00da4d6906124624d94c178438edfd954b70969f24a92252e7dbe51951984e3c2b931aa0c728a0c7fdc8919b3d1a213cb4b084036129d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\diruxy.exe

Filesize
441KB

MD5
492095cd374ca92df9c7e858247b280c

SHA1
ce4c8e7e36fd826c69b448bbc71d4a859cd7bbe8

SHA256
3a0456ffb5b83bbf22b0b0fd728e89b85bcd3ebc55ea17f0d5d934a37a332fa5

SHA512
ffc152677a11cfbd789dcbed37ccb949f6e7f4ea8c86068e4a6e25c51928a1d8c7e5f367ebb3e3303b4f40dc33d993ad012dfec22d889f3e7b69b7b728d3ef9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e23f00e9016613fa8c4845b3bb4a509b

SHA1
57e746faff237b472262053057fef947997b7c4d

SHA256
9b9f837304600368ef9e9227cff651239e5ebf1ba9c8921ffc7e8d127586ec32

SHA512
43620790857bbba424abe1c0f324ddb6439b1acdfcca6c8839c838859dd6ea8e6836eed0cbabdd162bc77461c9de1567e845162f83a397ff395bd51919bacd8e

Download Submit
\Users\Admin\AppData\Local\Temp\byujk.exe

Filesize
440KB

MD5
4dc0f94b4ca9baca7ee2f91ad9b58bc5

SHA1
eb3c0c3c4f8a2186eb552a98241b85093e5ff82c

SHA256
a337174e549d3aff758fec19fe700f33a8aacc81aaac6e507a33a0d1e37d3e91

SHA512
4ec20dde8f4c8817ca3a73d9090968133fc937047e79ddc2bfa7172e293815b54122ad6e3de86c71082a3ec30973183c4372f2a51acd41db0cf1e0c9454d48c5

Download Submit
\Users\Admin\AppData\Local\Temp\zyrya.exe

Filesize
223KB

MD5
cc0dc4e143c0f7156f5fd0c04ec4931a

SHA1
7a4d63210220803ec49dcf7018bfc18be3ad1e2d

SHA256
5ac1289f8f1204c065e697e0412795288594d4971728d5a78ddad643ecac6439

SHA512
67144e0dd9c299f868531bc6e3d2c97c017a9876fcdf33f52a7fa343802147120ca7027ce4bc4bcf6a9f9456b4e28a4c88f1e5e69deae585359a0ebccbe2fe2e

Download Submit
memory/340-52-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/340-39-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/340-51-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/1064-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1064-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1064-8-0x00000000024B0000-0x000000000251E000-memory.dmp

Filesize
440KB

Download
memory/1236-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1236-25-0x0000000001E80000-0x0000000001EEE000-memory.dmp

Filesize
440KB

Download
memory/2708-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2708-48-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2708-35-0x0000000002E20000-0x0000000002EC0000-memory.dmp

Filesize
640KB

Download
memory/2708-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing