urelas | 89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32

General

Target

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Size

441KB
MD5

faf00753bd81391e58835672dbaa6c70
SHA1

3d4c0d2510fdf1cd65503bfb5f3e5de76f6a04c7
SHA256

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32
SHA512

f72989638900a72103c72d9c76e3b6fdc183eb5515152079adad332cd794b947221dddb51a756c7cd2e1451830f0751b61a49c56d93e132af6a1c29edaf7b6ca
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPO:8Hn6/8NOy+CDQcciQpeoPO

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exeqojuq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	qojuq.exe

Executes dropped EXE 2 IoCs

Processes:

qojuq.exepoord.exe

pid process

2908 qojuq.exe
3096 poord.exe

pid	process
2908	qojuq.exe
3096	poord.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\poord.exe	upx
behavioral2/memory/3096-38-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3096-42-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3096-43-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3096-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exeqojuq.execmd.exepoord.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qojuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poord.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

poord.exe

pid	process
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe
3096	poord.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exeqojuq.exe

description	pid	process
Token: 33	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Token: SeIncBasePriorityPrivilege	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
Token: 33	2908	qojuq.exe
Token: SeIncBasePriorityPrivilege	2908	qojuq.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exeqojuq.exe

description	pid	process	target process
PID 3060 wrote to memory of 2908	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	qojuq.exe
PID 3060 wrote to memory of 2908	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	qojuq.exe
PID 3060 wrote to memory of 2908	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	qojuq.exe
PID 3060 wrote to memory of 4352	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	cmd.exe
PID 3060 wrote to memory of 4352	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	cmd.exe
PID 3060 wrote to memory of 4352	3060	89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe	cmd.exe
PID 2908 wrote to memory of 3096	2908	qojuq.exe	poord.exe
PID 2908 wrote to memory of 3096	2908	qojuq.exe	poord.exe
PID 2908 wrote to memory of 3096	2908	qojuq.exe	poord.exe

C:\Users\Admin\AppData\Local\Temp\89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe
"C:\Users\Admin\AppData\Local\Temp\89b0d9949cf2a387f883d4aa8c4c36ff73874f4a344298978bc0ce1124839a32N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\qojuq.exe
  "C:\Users\Admin\AppData\Local\Temp\qojuq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\poord.exe
    "C:\Users\Admin\AppData\Local\Temp\poord.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
342B

MD5
714e75371d418bee117c91069992882d

SHA1
88b671f58dbd0d94a127c75c5a15e328d572e06b

SHA256
527eea179cf04fe9ef6044ec0dc9a759cfade99a1d2c839280835b9e0eaaef09

SHA512
f8bbb0394293bc35bbae88f397f6dcb68e73cb353ce454cceb6feaadb80909a4f80cd1eba3cb2e698890d3d969797802aa9c629513d611b44cc642aeff2f7776

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b86c5f2a46adb117316652f3056d5e29

SHA1
9a3f42361cd330989754f176ea512c81bd2209a0

SHA256
93974ff8a391c52bcae18af7bba7fbd48eecec69c085ef3b150c14d8f5c18215

SHA512
fb67e986f9e4d558b0b7fd34e0da554c140199fc14001fb56313020e692beef99c278f3a2a44e839f5db6eaa18a3bea32d79aee4a1e7e23f1af18cee7c20bf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\poord.exe

Filesize
198KB

MD5
362d87885d8e45a24025a648a7885b23

SHA1
b1eb6c887db5d842053f695a317b379a11bb3810

SHA256
177fedd9cd483489f7e3fca9c429a2af04707c9c1f61ee24134143fdefc6740e

SHA512
79014218d5cf168fdfc46e73ed827367bbe02accd5ad10f04a47d87dc9d2246c08aec0a7cb23f8c6190235dd15eab8540f63698a5ad125abebe5c76b97633c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qojuq.exe

Filesize
441KB

MD5
d53d3508f08931b36da465728693f750

SHA1
a495e1837924465c6cb214fbc4f78f8ac9920bd7

SHA256
cc0e3c5277b8b830aa495287cc9e4653fcc957a3f9a5032d09495eead0e6e841

SHA512
02da307c4ffced1bb5c9bf7d9a531665750997bb9e86c526d3e9c78182a3d962fe63967fa5d1ea04fe59389c5a922a7df3dc140b9657450bc6db5d8ef4ef13a8

Download Submit
memory/2908-40-0x0000000000F30000-0x0000000000FAC000-memory.dmp

Filesize
496KB

Download
memory/2908-17-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2908-11-0x0000000000F30000-0x0000000000FAC000-memory.dmp

Filesize
496KB

Download
memory/2908-21-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2908-20-0x0000000000F30000-0x0000000000FAC000-memory.dmp

Filesize
496KB

Download
memory/3060-16-0x0000000000E90000-0x0000000000F0C000-memory.dmp

Filesize
496KB

Download
memory/3060-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3060-0-0x0000000000E90000-0x0000000000F0C000-memory.dmp

Filesize
496KB

Download
memory/3096-38-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3096-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3096-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3096-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads