urelas | e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0

General

Target

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Size

440KB
MD5

a40cb26479ed7aa42946772c7b2e7021
SHA1

b768c64e7ba1bb171ac3d0acf1a43390f1d214bf
SHA256

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0
SHA512

d60f24ca50d22575a1fdd28636ea6238e5da657a6a9d4ea07eb2a117eef59e4bbe7c442ff9318feeb534779cc6f37a9e743d18eb54b21ed2bd0eeab67c046f22
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjP:oMpASIcWYx2U6hAJQng

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1724	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

kydoo.exeqewuzy.exewejeg.exe

pid	Process
2468	kydoo.exe
2272	qewuzy.exe
2692	wejeg.exe

Loads dropped DLL 3 IoCs

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exekydoo.exeqewuzy.exe

pid	Process
2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
2468	kydoo.exe
2272	qewuzy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qewuzy.execmd.exewejeg.execmd.exee7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exekydoo.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qewuzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wejeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kydoo.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

wejeg.exe

pid	Process
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe
2692	wejeg.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exekydoo.exeqewuzy.exe

description	pid	Process	procid_target
PID 2364 wrote to memory of 2468	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2364 wrote to memory of 2468	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2364 wrote to memory of 2468	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2364 wrote to memory of 2468	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	30
PID 2364 wrote to memory of 1724	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 2364 wrote to memory of 1724	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 2364 wrote to memory of 1724	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 2364 wrote to memory of 1724	2364	e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe	31
PID 2468 wrote to memory of 2272	2468	kydoo.exe	33
PID 2468 wrote to memory of 2272	2468	kydoo.exe	33
PID 2468 wrote to memory of 2272	2468	kydoo.exe	33
PID 2468 wrote to memory of 2272	2468	kydoo.exe	33
PID 2272 wrote to memory of 2692	2272	qewuzy.exe	35
PID 2272 wrote to memory of 2692	2272	qewuzy.exe	35
PID 2272 wrote to memory of 2692	2272	qewuzy.exe	35
PID 2272 wrote to memory of 2692	2272	qewuzy.exe	35
PID 2272 wrote to memory of 796	2272	qewuzy.exe	36
PID 2272 wrote to memory of 796	2272	qewuzy.exe	36
PID 2272 wrote to memory of 796	2272	qewuzy.exe	36
PID 2272 wrote to memory of 796	2272	qewuzy.exe	36

C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe
"C:\Users\Admin\AppData\Local\Temp\e7ebbb224a3e3fd465ba8be4646569e2bdc346efe57f999abe9876f86d62fda0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\kydoo.exe
  "C:\Users\Admin\AppData\Local\Temp\kydoo.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\qewuzy.exe
    "C:\Users\Admin\AppData\Local\Temp\qewuzy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\wejeg.exe
      "C:\Users\Admin\AppData\Local\Temp\wejeg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b23730e95b71c653c3d0a3bea8724c5d

SHA1
b13f909a42dc9d13082f543aef1e53adaad821f3

SHA256
e1f01373c6afddad4b3ba7a3c78e2e0e09147366cf7708d28e3daae5cc2cfcc0

SHA512
e4bdecdfb3df8b3f168f6381e8abfa618bd517ab3cdc549c16bf22b68baf2827dd4322012e57978869298cd03f8ac4c8401015e4bade9fc31b4c19aafed6dc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b63eb8a72d43acaaa6087aca95b0d1b4

SHA1
bf358f47d4b488f5050e2595cc03dd6a253d2432

SHA256
aa2316f8910479a0ea5e027c76c11a07d81ebfbe5c45ca2fac01bb9d74c37875

SHA512
e09c819e1bd34b23e1983919d4d02511b31d9939c1e2a3e5b82b5642b49d79080ef2445024a8c65c2b5541294bd61aa1ff07550ba571ae05899ef8d3966fe379

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8a0dc3a3b30fc3ce48c1ec999fa3512a

SHA1
6bacdc14e6024c4c2e3f5d8a6ad0bc43fc009520

SHA256
c2eecf91e8c20ca3353453f61fb193ba3cf33e0a8704c2e802b17ed9720a29ef

SHA512
4d368d5b579d55c120f5ae66cd731dfe6ddbba235d17a0abe6b1aad92ebc03664929142f2399222fbf342f765f792b03aeec5c09f0af3e075f9ac6fdfaf0e973

Download Submit
C:\Users\Admin\AppData\Local\Temp\kydoo.exe

Filesize
440KB

MD5
7dd8d8387dc59ad43a7d85b3de480118

SHA1
b2962a7a47d384a418d8a0316b455520263dc122

SHA256
e81c9de2d4855e3dfe5f42380f4201afe2f97d8afd4cd7c283c5e19336178605

SHA512
dbc905c7066a51984bf64774251d907b9497d297ecc478c36396b102385222c7dbe734662876f376d22585ad32eb066b60f159c7d87284f28092df27045be0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qewuzy.exe

Filesize
440KB

MD5
363ea5a1f10833140de716e17d7bb59b

SHA1
3e4537b409515fe1d6e12aebb0ec15123a6f7a6f

SHA256
f4a20212c728c513fef431ba397cf610f5f6ccab2ad35f4eb37ef41adb4393c7

SHA512
3c67019bc890cd00de6d181f09ea3b3cbbc4357b2b1fd0e8af682d10f4f7104e101cb3d666158b86ff3777a4fe46751cd3a07e010066d8c7acdd4a5de8079df4

Download Submit
\Users\Admin\AppData\Local\Temp\wejeg.exe

Filesize
223KB

MD5
f1fea26a2031d5e4b1673d92deb7e66d

SHA1
c66c59befcfb680865226d08cd2a50a46d390cf2

SHA256
287b91ec87cb750731c331ee045be49d8c200594d593bcf2f49d1b811394623d

SHA512
70702a5f754ffc28134a5145c45f235705997f2222f5b81974ecb02a1fa816c219bb1a68049f95715d0f0518120e6fc2022355c3bef9b2b9da1df371f35210c9

Download Submit
memory/2272-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2272-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2272-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2272-43-0x0000000002110000-0x00000000021B0000-memory.dmp

Filesize
640KB

Download
memory/2364-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2364-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2468-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2692-45-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2692-49-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2692-50-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads