urelas | b63252c4febfe03e94d075f5f2f6370a79c33395770af0981512b33323e87555

General

Target

NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe
Size

327KB
MD5

7ac3b16774c38b6a6ab354c36dd55f40
SHA1

7f8c326a1621ecd454bf6556e5cae1f779666249
SHA256

b63252c4febfe03e94d075f5f2f6370a79c33395770af0981512b33323e87555
SHA512

2b972971093e52d683e772342564a0db5dbd2fbda80c4f40e292f0fb1c58a230fe1df902d2da363dec7d49d43aa69103e6414c72a16b136c211254bb2195483a
SSDEEP

6144:onOAG5ldEQdPd/2oSQbQFsrF1W/h84IrV7mMpH8zQW4jQw+k5e:o/G5ldDPUoSiQi4kVdcQzjje

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	rudue.exe

Executes dropped EXE 2 IoCs

pid	Process
4116	rudue.exe
1660	ybbid.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2260-0-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/2260-3-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/files/0x0007000000022dce-8.dat	upx
behavioral2/files/0x0007000000022dce-11.dat	upx
behavioral2/files/0x0007000000022dce-10.dat	upx
behavioral2/memory/2260-15-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/4116-18-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/4116-19-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/4116-35-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe
1660	ybbid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1660	ybbid.exe
Token: SeIncBasePriorityPrivilege	1660	ybbid.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4116	2260	NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe	89
PID 2260 wrote to memory of 4116	2260	NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe	89
PID 2260 wrote to memory of 4116	2260	NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe	89
PID 2260 wrote to memory of 2440	2260	NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe	90
PID 2260 wrote to memory of 2440	2260	NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe	90
PID 2260 wrote to memory of 2440	2260	NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe	90
PID 4116 wrote to memory of 1660	4116	rudue.exe	96
PID 4116 wrote to memory of 1660	4116	rudue.exe	96
PID 4116 wrote to memory of 1660	4116	rudue.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7ac3b16774c38b6a6ab354c36dd55f40.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\rudue.exe
  "C:\Users\Admin\AppData\Local\Temp\rudue.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\ybbid.exe
    "C:\Users\Admin\AppData\Local\Temp\ybbid.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
eca72d838b854561d9625e1013b63f54

SHA1
f859ce8b311a621283300aaed960a6882cbd439e

SHA256
8a7010c6cc8239a535b04ca98829b9db2bdfaf7923a6654ddeea6bb7e987aa24

SHA512
ca5e78007d38736f72dd10250907dd859921822e34eb62ee5cb3de0c1fc74ef96f4e3c48943004debb14eec409fdb7fb8f3c5b29a7cd371b86c6a6ba0e2395f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8b04da9677efd6bdf8aa535835002a8b

SHA1
f998df92d760214d3f83adb87fb2868d86571edb

SHA256
078efcc7831146c0ec17ba6f55f18e28c97720a9243dac8289832028daf14a11

SHA512
af79a4ce407e7d0d968ce08b8bc233aa6eb81553e9f26f5f471b7608b70309c71550dccef5a497cc4544e096b6b752cc5bfacf32a76d41aa946ab68b0abf1e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudue.exe

Filesize
327KB

MD5
778622a168df3ee38b2f9293ec8bfedc

SHA1
962b3f437dd6405d109d2981659679fe89a1a3a0

SHA256
a9fb4fc37cb9a9771c16d534843e5dc11a4138dcf7a29f35d213e4e4c0113069

SHA512
3fe4842485251e0eec81b587fa01352227a783c1123fb07207610cdb2df68f53b95405e81b8d9a18caf4dc1a82270c1b8a23600e6ccc98ed643e3d7b1e2b60b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudue.exe

Filesize
327KB

MD5
778622a168df3ee38b2f9293ec8bfedc

SHA1
962b3f437dd6405d109d2981659679fe89a1a3a0

SHA256
a9fb4fc37cb9a9771c16d534843e5dc11a4138dcf7a29f35d213e4e4c0113069

SHA512
3fe4842485251e0eec81b587fa01352227a783c1123fb07207610cdb2df68f53b95405e81b8d9a18caf4dc1a82270c1b8a23600e6ccc98ed643e3d7b1e2b60b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudue.exe

Filesize
327KB

MD5
778622a168df3ee38b2f9293ec8bfedc

SHA1
962b3f437dd6405d109d2981659679fe89a1a3a0

SHA256
a9fb4fc37cb9a9771c16d534843e5dc11a4138dcf7a29f35d213e4e4c0113069

SHA512
3fe4842485251e0eec81b587fa01352227a783c1123fb07207610cdb2df68f53b95405e81b8d9a18caf4dc1a82270c1b8a23600e6ccc98ed643e3d7b1e2b60b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybbid.exe

Filesize
201KB

MD5
9307e83727add11c92f8997bab838fa4

SHA1
01ea5c53b5952621dfd17c1ac0b6a2c8e5b52dd6

SHA256
129a35720999748e91940f44c5876bc2415bacf74f8dfa1e72cbbc725b1a7d18

SHA512
d876b52a91065002e82cfd67a205c376bc050bc7b898801a5cbf532614f05782c8efec2c5a9af976f3b1b5297bb583ef9cabdede0592e77a19b021e28b195faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybbid.exe

Filesize
201KB

MD5
9307e83727add11c92f8997bab838fa4

SHA1
01ea5c53b5952621dfd17c1ac0b6a2c8e5b52dd6

SHA256
129a35720999748e91940f44c5876bc2415bacf74f8dfa1e72cbbc725b1a7d18

SHA512
d876b52a91065002e82cfd67a205c376bc050bc7b898801a5cbf532614f05782c8efec2c5a9af976f3b1b5297bb583ef9cabdede0592e77a19b021e28b195faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybbid.exe

Filesize
201KB

MD5
9307e83727add11c92f8997bab838fa4

SHA1
01ea5c53b5952621dfd17c1ac0b6a2c8e5b52dd6

SHA256
129a35720999748e91940f44c5876bc2415bacf74f8dfa1e72cbbc725b1a7d18

SHA512
d876b52a91065002e82cfd67a205c376bc050bc7b898801a5cbf532614f05782c8efec2c5a9af976f3b1b5297bb583ef9cabdede0592e77a19b021e28b195faa

Download Submit
memory/1660-41-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1660-42-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1660-40-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1660-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1660-38-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2260-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2260-15-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2260-3-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4116-18-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4116-35-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4116-19-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing