urelas | 89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32

General

Target

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Size

441KB
MD5

faf00753bd81391e58835672dbaa6c70
SHA1

3d4c0d2510fdf1cd65503bfb5f3e5de76f6a04c7
SHA256

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32
SHA512

f72989638900a72103c72d9c76e3b6fdc183eb5515152079adad332cd794b947221dddb51a756c7cd2e1451830f0751b61a49c56d93e132af6a1c29edaf7b6ca
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPO:8Hn6/8NOy+CDQcciQpeoPO

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1568 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

iceqn.exeqigou.exe

pid process

2516 iceqn.exe
1032 qigou.exe
Loads dropped DLL 2 IoCs

Processes:

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exeiceqn.exe

pid process

1320 89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
2516 iceqn.exe

pid	process
1568	cmd.exe

pid	process
2516	iceqn.exe
1032	qigou.exe

pid	process
1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
2516	iceqn.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\qigou.exe	upx
behavioral1/memory/1032-39-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1032-43-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1032-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1032-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

iceqn.execmd.exeqigou.exe89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iceqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qigou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

qigou.exe

pid	process
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe
1032	qigou.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exeiceqn.exe

description	pid	process
Token: 33	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Token: SeIncBasePriorityPrivilege	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Token: 33	2516	iceqn.exe
Token: SeIncBasePriorityPrivilege	2516	iceqn.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exeiceqn.exe

description	pid	process	target process
PID 1320 wrote to memory of 2516	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	iceqn.exe
PID 1320 wrote to memory of 2516	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	iceqn.exe
PID 1320 wrote to memory of 2516	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	iceqn.exe
PID 1320 wrote to memory of 2516	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	iceqn.exe
PID 1320 wrote to memory of 1568	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	cmd.exe
PID 1320 wrote to memory of 1568	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	cmd.exe
PID 1320 wrote to memory of 1568	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	cmd.exe
PID 1320 wrote to memory of 1568	1320	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	cmd.exe
PID 2516 wrote to memory of 1032	2516	iceqn.exe	qigou.exe
PID 2516 wrote to memory of 1032	2516	iceqn.exe	qigou.exe
PID 2516 wrote to memory of 1032	2516	iceqn.exe	qigou.exe
PID 2516 wrote to memory of 1032	2516	iceqn.exe	qigou.exe

C:\Users\Admin\AppData\Local\Temp\89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
"C:\Users\Admin\AppData\Local\Temp\89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\iceqn.exe
  "C:\Users\Admin\AppData\Local\Temp\iceqn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\qigou.exe
    "C:\Users\Admin\AppData\Local\Temp\qigou.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
342B

MD5
714e75371d418bee117c91069992882d

SHA1
88b671f58dbd0d94a127c75c5a15e328d572e06b

SHA256
527eea179cf04fe9ef6044ec0dc9a759cfade99a1d2c839280835b9e0eaaef09

SHA512
f8bbb0394293bc35bbae88f397f6dcb68e73cb353ce454cceb6feaadb80909a4f80cd1eba3cb2e698890d3d969797802aa9c629513d611b44cc642aeff2f7776

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6e7315d4d571c4e8a56a4a684debcc4c

SHA1
910863a8804fd96be5859c66d5b2880d2c2b67e2

SHA256
de91f19449fbde4ffc73d0756203dad58248b4d4c30453f8f53701979e417b86

SHA512
70211d5f50253de5d8006f17ae3b4109d4cda8b060cbbae9f43a0b9bd8aa19ff4e4c19b8c40d618a7960c0c78602cd46e141da48d16f46f785fe1a780126e8cb

Download Submit
\Users\Admin\AppData\Local\Temp\iceqn.exe

Filesize
441KB

MD5
bc5948f61801bf974d286d6799646fac

SHA1
7f9dd90a63735267a8dddd819daf18aaf8056e25

SHA256
f4019b5c4b5e80eaaa1aa9b7b4e61796c362815cbcceaa2617333f1c81e36add

SHA512
93ff9dea7102a68d2a17370e7dc902da0189e2fb3210f2be5e4f4d23264cc99f1c50612d3947f23c6da768fcfd5d01395c3d107d8345df28504fb25bf999bec9

Download Submit
\Users\Admin\AppData\Local\Temp\qigou.exe

Filesize
198KB

MD5
f7bf01913bf916cc10a1fc801e48558b

SHA1
315c10dccfc30c8ced25f079261726246cc24809

SHA256
e66d5fba3a0669d7ca6540b98e6e0d13469cabe9bf10eae7d30b48f8c72292be

SHA512
59d22875f7063c829811f8d1a5610c0155264ba73c93f5d87d4548fc4332ded9525b28cd3ce33b33ac77318bd1d50eca13450d4c90897256691699844a5f3554

Download Submit
memory/1032-39-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1032-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1032-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1032-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1320-1-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1320-7-0x0000000000B80000-0x0000000000BFC000-memory.dmp

Filesize
496KB

Download
memory/1320-0-0x0000000000C10000-0x0000000000C8C000-memory.dmp

Filesize
496KB

Download
memory/1320-20-0x0000000000C10000-0x0000000000C8C000-memory.dmp

Filesize
496KB

Download
memory/2516-11-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2516-41-0x0000000000F50000-0x0000000000FCC000-memory.dmp

Filesize
496KB

Download
memory/2516-36-0x0000000003FC0000-0x000000000405F000-memory.dmp

Filesize
636KB

Download
memory/2516-23-0x0000000000F50000-0x0000000000FCC000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads