urelas | f9cc226bdcfc374ab6c5c79a8fac93384a6e8b69b67b7acf2bd4ccb9fb28e3af

General

Target

a1986464de7c51ae0d4f741c15e74f16_JC.exe
Size

222KB
MD5

a1986464de7c51ae0d4f741c15e74f16
SHA1

35fbb43cb2110df64531579c473564f3f62872b7
SHA256

f9cc226bdcfc374ab6c5c79a8fac93384a6e8b69b67b7acf2bd4ccb9fb28e3af
SHA512

0f85812216ae625a89f90ae22848d10a6deb487b4867431fe12ba6043879fca85c6a0b713b9441bb558a5b819f4f51f97fa2c1883abccbedc47348cf90fe4860
SSDEEP

3072:WBKBy7+8pCOH1ch9ZLqrwrr58V2po8d3E:WkBy7+8pCOVi3L+w6MpRd3E

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	a1986464de7c51ae0d4f741c15e74f16_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3480	jubou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3952	3480	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1644	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 3480	1548	a1986464de7c51ae0d4f741c15e74f16_JC.exe	89
PID 1548 wrote to memory of 3480	1548	a1986464de7c51ae0d4f741c15e74f16_JC.exe	89
PID 1548 wrote to memory of 3480	1548	a1986464de7c51ae0d4f741c15e74f16_JC.exe	89
PID 1548 wrote to memory of 1332	1548	a1986464de7c51ae0d4f741c15e74f16_JC.exe	91
PID 1548 wrote to memory of 1332	1548	a1986464de7c51ae0d4f741c15e74f16_JC.exe	91
PID 1548 wrote to memory of 1332	1548	a1986464de7c51ae0d4f741c15e74f16_JC.exe	91

C:\Users\Admin\AppData\Local\Temp\a1986464de7c51ae0d4f741c15e74f16_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a1986464de7c51ae0d4f741c15e74f16_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\jubou.exe
  "C:\Users\Admin\AppData\Local\Temp\jubou.exe"
  2⤵
  - Executes dropped EXE
  PID:3480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 780
    3⤵
    - Program crash
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1332

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3480 -ip 3480
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
3542fbe4c275397a4a5b01bdfb753af0

SHA1
72cce8c341b19b9dde146a0ee8681243049245be

SHA256
645d30214386c4d1ae4adf529aebb443971b91fa8da3fcc8718c39f2df0f478f

SHA512
ea511cb723364dfc3707739d6b3919c6f1781c5394a6f9d8aacc6dc9611f17e6fa2c400669c861ec4232e5f3d2fd9d86490e7a31d0a8c761ccf7bbf1aca56089

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
961627262c843312ddac70e0b4736db7

SHA1
4615176345c7de8fe482697a8c5e5626c603d3c0

SHA256
ab85747b08d184279d93d810158c7c05f62e30be987ec0b06c4d962ade934f47

SHA512
0a5969b07a225de87f482468c83284bae39d374615cc21157f42ed6d12bbe7fc6e5f27400eb414ef7794db896fc60b0464f07c246333e88418f3e51c63a01723

Download Submit
C:\Users\Admin\AppData\Local\Temp\jubou.exe

Filesize
222KB

MD5
709b82e29d2386c512f034d47ebf2204

SHA1
a39ce9aaae36dca4a7b92e849aae9c10f78048b2

SHA256
5172df7a7c256553d9ea26367ab73c7ccf1e771f867d84b1be09add272915141

SHA512
710724455c2d5eef997381fc2652143f60efc3b0a5b27bea2b197a545378d1ff5ab83482bdbbb4676df8ca8e35716b642572dedff58d4088c3d2505aa127bef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jubou.exe

Filesize
222KB

MD5
709b82e29d2386c512f034d47ebf2204

SHA1
a39ce9aaae36dca4a7b92e849aae9c10f78048b2

SHA256
5172df7a7c256553d9ea26367ab73c7ccf1e771f867d84b1be09add272915141

SHA512
710724455c2d5eef997381fc2652143f60efc3b0a5b27bea2b197a545378d1ff5ab83482bdbbb4676df8ca8e35716b642572dedff58d4088c3d2505aa127bef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jubou.exe

Filesize
222KB

MD5
709b82e29d2386c512f034d47ebf2204

SHA1
a39ce9aaae36dca4a7b92e849aae9c10f78048b2

SHA256
5172df7a7c256553d9ea26367ab73c7ccf1e771f867d84b1be09add272915141

SHA512
710724455c2d5eef997381fc2652143f60efc3b0a5b27bea2b197a545378d1ff5ab83482bdbbb4676df8ca8e35716b642572dedff58d4088c3d2505aa127bef2

Download Submit
memory/1548-0-0x0000000000C40000-0x0000000000C76000-memory.dmp

Filesize
216KB

Download
memory/1548-14-0x0000000000C40000-0x0000000000C76000-memory.dmp

Filesize
216KB

Download
memory/1644-52-0x0000022AAF3E0000-0x0000022AAF3E1000-memory.dmp

Filesize
4KB

Download
memory/1644-17-0x0000022AA6F40000-0x0000022AA6F50000-memory.dmp

Filesize
64KB

Download
memory/1644-33-0x0000022AA7040000-0x0000022AA7050000-memory.dmp

Filesize
64KB

Download
memory/1644-49-0x0000022AAF3B0000-0x0000022AAF3B1000-memory.dmp

Filesize
4KB

Download
memory/1644-51-0x0000022AAF3E0000-0x0000022AAF3E1000-memory.dmp

Filesize
4KB

Download
memory/1644-53-0x0000022AAF4F0000-0x0000022AAF4F1000-memory.dmp

Filesize
4KB

Download
memory/3480-10-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/3480-54-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/3480-55-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing