urelas | 72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c

General

Target

72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Size

298KB
MD5

ecee80a6ccffbce36de0d4a2f085e87f
SHA1

64db498370b7e02d14a949470876b0469dac893b
SHA256

72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c
SHA512

41c1cdc9104ff4cf42ccb9aeba28cf16d873d4b9ac338491177b4f44b427cf4a342a4f97c57223ec38139b34b3bcf1bae2f7a0ed9858379909d2a0bac48c97c0
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXSE:Y4npK2y8zzkGHVqoq/gKl

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ifpux.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	ifpux.exe
3620	amvuy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifpux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amvuy.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe
3620	amvuy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Token: SeIncBasePriorityPrivilege	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
Token: 33	2288	ifpux.exe
Token: SeIncBasePriorityPrivilege	2288	ifpux.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2288	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	82
PID 1980 wrote to memory of 2288	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	82
PID 1980 wrote to memory of 2288	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	82
PID 1980 wrote to memory of 5040	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	83
PID 1980 wrote to memory of 5040	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	83
PID 1980 wrote to memory of 5040	1980	72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe	83
PID 2288 wrote to memory of 3620	2288	ifpux.exe	94
PID 2288 wrote to memory of 3620	2288	ifpux.exe	94
PID 2288 wrote to memory of 3620	2288	ifpux.exe	94

C:\Users\Admin\AppData\Local\Temp\72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe
"C:\Users\Admin\AppData\Local\Temp\72244b75c47cffbbf7fd85671be3f96de4307aae1e526e60bb9a6e0c5eaf256c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\ifpux.exe
  "C:\Users\Admin\AppData\Local\Temp\ifpux.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\amvuy.exe
    "C:\Users\Admin\AppData\Local\Temp\amvuy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fd2b617bbd521f39231c979e7d3d2cf0

SHA1
29671ec5d830c890958801739053e04a0661765d

SHA256
acc974feb85e7bbaa424b23ade4d23475d2a6e4f7b3faaa1f6e54a81d7049aee

SHA512
c885f397ab1e5bd7bd3b895e719464fe0dc63c08bf3e1555c5a8d2e94658c81395123a1093b38e324e4f37edb72a84ef7f294ebe9b84ae36536f30ff3caaa9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\amvuy.exe

Filesize
203KB

MD5
07b2a1dca86d26dd83d2a4462c5c10e6

SHA1
53d10213560ca4377c9b34be82fc6d8703b269f7

SHA256
cb7124374e102544626102076b66472a70ad0e47d3585dbb976db0c1c2b4a792

SHA512
78d49c1e82a4fdb6e06a86a8d4208540dda4399c2a625ad0bbff38453f89742741b714a674a7969769f70f081630dc6fc54f85efa0adf4c2817dfc65208f468c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
80e3bc188a1eb805517fbbc7fa71f68d

SHA1
ca1af1dc2111050d209be9b70d0cb2bcd9c61b3c

SHA256
5d8bbe4fe7d2991b3f9e7cdfc5420c6212bdf023c0f87286f9b825e0de2b0a18

SHA512
df88b5b984a30c1c48aca00eeb67a00b3faa33f1277ec7dc3dcd7095fa19ab768b3b1b506f8d9385c34968f60046c7c0a673ea11a424ec80ddcd34917138fbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifpux.exe

Filesize
298KB

MD5
2c269dcd1f38c0eea73ff18421d405e6

SHA1
763a491ac5163b3038e33879f555c2b99fd1f0a7

SHA256
36250f6118d9c77360662c5bdb5109cb8ff5f471135e29c5ec79e76d59a71b08

SHA512
a4150f9831f855dfd8e5ce74523ecc7f4969959be6694d4b0f7015a445ce2625293f9a08d6eab8ee9271bc021dea79ae542ebb9bb5335865e10b23f015a9a7b4

Download Submit
memory/1980-1-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1980-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1980-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2288-13-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2288-19-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2288-38-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3620-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3620-39-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/3620-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3620-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3620-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing