urelas | 72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c

General

Target

72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Size

298KB
MD5

ecee80a6ccffbce36de0d4a2f085e87f
SHA1

64db498370b7e02d14a949470876b0469dac893b
SHA256

72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c
SHA512

41c1cdc9104ff4cf42ccb9aeba28cf16d873d4b9ac338491177b4f44b427cf4a342a4f97c57223ec38139b34b3bcf1bae2f7a0ed9858379909d2a0bac48c97c0
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXSE:Y4npK2y8zzkGHVqoq/gKl

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1544	tizuu.exe
2824	negof.exe

Loads dropped DLL 3 IoCs

pid	Process
2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
1544	tizuu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	negof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tizuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe
2824	negof.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Token: SeIncBasePriorityPrivilege	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Token: 33	1544	tizuu.exe
Token: SeIncBasePriorityPrivilege	1544	tizuu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1544	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	30
PID 2368 wrote to memory of 1544	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	30
PID 2368 wrote to memory of 1544	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	30
PID 2368 wrote to memory of 1544	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	30
PID 2368 wrote to memory of 2108	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	31
PID 2368 wrote to memory of 2108	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	31
PID 2368 wrote to memory of 2108	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	31
PID 2368 wrote to memory of 2108	2368	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	31
PID 1544 wrote to memory of 2824	1544	tizuu.exe	34
PID 1544 wrote to memory of 2824	1544	tizuu.exe	34
PID 1544 wrote to memory of 2824	1544	tizuu.exe	34
PID 1544 wrote to memory of 2824	1544	tizuu.exe	34

C:\Users\Admin\AppData\Local\Temp\72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
"C:\Users\Admin\AppData\Local\Temp\72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\tizuu.exe
  "C:\Users\Admin\AppData\Local\Temp\tizuu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\negof.exe
    "C:\Users\Admin\AppData\Local\Temp\negof.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fd2b617bbd521f39231c979e7d3d2cf0

SHA1
29671ec5d830c890958801739053e04a0661765d

SHA256
acc974feb85e7bbaa424b23ade4d23475d2a6e4f7b3faaa1f6e54a81d7049aee

SHA512
c885f397ab1e5bd7bd3b895e719464fe0dc63c08bf3e1555c5a8d2e94658c81395123a1093b38e324e4f37edb72a84ef7f294ebe9b84ae36536f30ff3caaa9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
239848b95c2b75b065462db061198f94

SHA1
800d7d793c94a9569245dc2e4e22e4c3a5ef70ce

SHA256
a9558a151e211185d88dc49f04bc8ac12ee89c7f273fcd11e7758bc9dfb5c751

SHA512
515874761211927a8dcdd8b11b3ef3c4dc37dec07ac7d52d289c534e8df5d48c439b8856ddf1116219d89baa7e93d27950862aa8eb1fe6e8fdea3834d67d3af9

Download Submit
\Users\Admin\AppData\Local\Temp\negof.exe

Filesize
203KB

MD5
3385ee1d6ab7e84824ce2eb61734a1a4

SHA1
0af51f702ca2324b18f3b1bb48321027a46fc2ab

SHA256
758b77e2e1a1ac7b174a8780b3cc7bdb80f26a99ce15a2e653ca10518f8d6388

SHA512
2321129508a4b6a9bcb8b1f09e30121544860d1dd32fe5c4e5f939183437f7f77185a231cf976be0d358ef299eedf29686326da0accaf41ecac7ef6afa982637

Download Submit
\Users\Admin\AppData\Local\Temp\tizuu.exe

Filesize
298KB

MD5
8d719d1ab3f4dc64cb4efeaed6b9eec5

SHA1
3bbf94c2aba8d318168e3b96247997bcade63e15

SHA256
b658269d9118f26b36c0f3e6375da7747b5992c4cadefa1b4a726b39cda2b095

SHA512
e6a8c384ba8c0438bab68b4f1aaa111296bddfd2e33f55a0cb5934e3997aa56ee6a68978127738dad006da3c49308c455a2f9eda83e850e386958543fe303202

Download Submit
memory/1544-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1544-24-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1544-27-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1544-40-0x0000000003A20000-0x0000000003ABF000-memory.dmp

Filesize
636KB

Download
memory/1544-44-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2368-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2368-23-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2368-12-0x00000000029A0000-0x0000000002A3B000-memory.dmp

Filesize
620KB

Download
memory/2368-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2824-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2824-47-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2824-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2824-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing