urelas | 910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b

General

Target

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Size

692KB
MD5

b53e591f1b41aab36a05fd560ec491ce
SHA1

683d8ce3f61a8b13f2b6803e8060d3708c6a61bd
SHA256

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b
SHA512

e3b9e38b6409080b15bff22a1db0db9e1bc2a1aaee006e755add83b9a32d54d1b4340e423917bef1ae244f08223f2127faabaf65e923173f339783674f4cadc2
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nr0:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnr0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2560	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

dyked.execukyre.exepenup.exe

pid	Process
1680	dyked.exe
2752	cukyre.exe
2144	penup.exe

Loads dropped DLL 5 IoCs

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exedyked.execukyre.exe

pid	Process
2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
1680	dyked.exe
1680	dyked.exe
2752	cukyre.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exedyked.execmd.execukyre.exepenup.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cukyre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

penup.exe

pid	Process
2144	penup.exe
2144	penup.exe
2144	penup.exe
2144	penup.exe
2144	penup.exe
2144	penup.exe
2144	penup.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exedyked.execukyre.exe

description	pid	Process	procid_target
PID 2172 wrote to memory of 1680	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2172 wrote to memory of 1680	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2172 wrote to memory of 1680	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2172 wrote to memory of 1680	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2172 wrote to memory of 2560	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 2172 wrote to memory of 2560	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 2172 wrote to memory of 2560	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 2172 wrote to memory of 2560	2172	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 1680 wrote to memory of 2752	1680	dyked.exe	33
PID 1680 wrote to memory of 2752	1680	dyked.exe	33
PID 1680 wrote to memory of 2752	1680	dyked.exe	33
PID 1680 wrote to memory of 2752	1680	dyked.exe	33
PID 2752 wrote to memory of 2144	2752	cukyre.exe	35
PID 2752 wrote to memory of 2144	2752	cukyre.exe	35
PID 2752 wrote to memory of 2144	2752	cukyre.exe	35
PID 2752 wrote to memory of 2144	2752	cukyre.exe	35
PID 2752 wrote to memory of 1752	2752	cukyre.exe	36
PID 2752 wrote to memory of 1752	2752	cukyre.exe	36
PID 2752 wrote to memory of 1752	2752	cukyre.exe	36
PID 2752 wrote to memory of 1752	2752	cukyre.exe	36

C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
"C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\dyked.exe
  "C:\Users\Admin\AppData\Local\Temp\dyked.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\cukyre.exe
    "C:\Users\Admin\AppData\Local\Temp\cukyre.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\penup.exe
      "C:\Users\Admin\AppData\Local\Temp\penup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
fc0c687e429f4e6ce0ff0707d753537c

SHA1
4db0d027fb00de586a8b9205fd36b81606f72d72

SHA256
417eda1fe2c91f5595bf8898777a7efdfe37dea6844397af6a2c9a19f4396292

SHA512
ab460c48858fe0428923f0a696a36b12cd39a012e0e8d9ae97798a4ae5f1b601f1e982f48deac62eaf2f0a20f9d658b8e5ad68d0ba1a6ec72bce6ad12bb3cfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
32235d03de516b7bcc0856ef44e41323

SHA1
6ae6f37b1c893501a78ab3fa90484c9a0abb0f2b

SHA256
b4591cd755a797bd34fb6cc7fc86b2b08c5af64423573ea44d08cf111d0ab874

SHA512
4ea11174086aa9690c64f519c7098d04ad1ee77f2fe1fe1463a978bbdfe17d133353bf0067ebb033d56097df88d7bdfe13ba3f0ec81f2ee6cbee7076454f67c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyked.exe

Filesize
692KB

MD5
f93b1906fbaf920aa3ee3e762570ce1a

SHA1
e748a9592d31d6ed9a21e15d8b81d3824bed9df3

SHA256
17e8ff4f7f65bd0a3a0eaea373f47a3853edc3cae43dd2c1a1215439c3169562

SHA512
91cd9a0c0c0cda7371e41108638093fdee65860db813181e02c433ce943129d92d2e41462c5e59d0e0a23ac569b3c0da52cb15ee0111a69b6348b313f1631bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
359ec96a6ae869341506ec0b65e57260

SHA1
08696352b5b67d68c730e27c17a8f9ddc679fc93

SHA256
b57fa25ce2ca192f73d6626588a991e8ca7751b26bf3011d81416a9a9483f8d4

SHA512
4e969d039a8dbaa68dd037bbefe7418f4b9e1e6f28a852d08d0ad5a56d19ad9abee695fcf6ce23ca33462061f6c35e789e4548f9dceefedd0075098d377b72ae

Download Submit
\Users\Admin\AppData\Local\Temp\penup.exe

Filesize
469KB

MD5
8c547fa808422cd83d84f517ab42e9a0

SHA1
7e079ce82892db874ca80aeeeace69615a8043b1

SHA256
1010f639f278d92ff23362f03e2400d7f80249de94929a835869674da0936603

SHA512
00d4fb793ba8fb5c5bafea5a28d3e7d33b2fb1517853ec4f9942c4fb9499345a2d9f35c3655335529f13f088d3038ead58d9bd2ae395fe2529a43bcc90565b49

Download Submit
memory/1680-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1680-36-0x0000000003750000-0x0000000003803000-memory.dmp

Filesize
716KB

Download
memory/1680-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1680-34-0x0000000003750000-0x0000000003803000-memory.dmp

Filesize
716KB

Download
memory/2144-57-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2144-60-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2172-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2172-22-0x0000000002520000-0x00000000025D3000-memory.dmp

Filesize
716KB

Download
memory/2172-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2752-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2752-38-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2752-54-0x0000000003C70000-0x0000000003E06000-memory.dmp

Filesize
1.6MB

Download
memory/2752-53-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads