urelas | 07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f

General

Target

07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Size

299KB
MD5

961734c10247ab1d4672d4956693ec99
SHA1

3651660af03d37f27af50e2b002cb614c0b619cd
SHA256

07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f
SHA512

7ff8d2bd5d75ea18697f11bd8e9bf80cddccf5bb9960e55caad550a680021445c08da1eac0550dbd285e7ec5e4d99084eeeb1dc5519dd4fe0bdd4c96030d53d3
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXSz:Y4npK2y8zzkGHVqoq/gK8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	guqij.exe
1968	lyibz.exe

Loads dropped DLL 3 IoCs

pid	Process
2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
2344	guqij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guqij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyibz.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe
1968	lyibz.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Token: SeIncBasePriorityPrivilege	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Token: 33	2344	guqij.exe
Token: SeIncBasePriorityPrivilege	2344	guqij.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2344	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	31
PID 2364 wrote to memory of 2344	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	31
PID 2364 wrote to memory of 2344	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	31
PID 2364 wrote to memory of 2344	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	31
PID 2364 wrote to memory of 2416	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	32
PID 2364 wrote to memory of 2416	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	32
PID 2364 wrote to memory of 2416	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	32
PID 2364 wrote to memory of 2416	2364	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	32
PID 2344 wrote to memory of 1968	2344	guqij.exe	35
PID 2344 wrote to memory of 1968	2344	guqij.exe	35
PID 2344 wrote to memory of 1968	2344	guqij.exe	35
PID 2344 wrote to memory of 1968	2344	guqij.exe	35

C:\Users\Admin\AppData\Local\Temp\07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
"C:\Users\Admin\AppData\Local\Temp\07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\guqij.exe
  "C:\Users\Admin\AppData\Local\Temp\guqij.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\lyibz.exe
    "C:\Users\Admin\AppData\Local\Temp\lyibz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a769c58c8df0b8578bc4a342b6c7b57d

SHA1
e94d8dd0360677be5e733bfe6b91068497e7667d

SHA256
732e1de266dc8d88c72a29824dc47b0b10a2fa2dbf0d344085ce68a8bdeaf5ea

SHA512
a1e45babd45b375f22792eb50e60b0ea6d10ba5bd1605346dcdba3ff1d995fde8295d964064abb652d2e73f22a1ff5d656d02fb2fc470a12251333ea182c9d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
82e75c2b5f0c90a75d750807b9da4f63

SHA1
aa1880542cfde614b822349d1888c6cee7a01ced

SHA256
ac225140e26e20937a41688d13410270633b4d00ea6120e54637fb621d4f4b87

SHA512
4e5ca45744a704b6b432bb7647450a58b179139178adf799c89132f2f63efcec2533f8a7406ec5a8d5fb54d8510e57e562edec95ddd01575a94f5d12dd5f1ab5

Download Submit
\Users\Admin\AppData\Local\Temp\guqij.exe

Filesize
299KB

MD5
5851c702ac0657e60e44504f2b8372ed

SHA1
e5b1979fa7d659d087888e4c41c89d802182c151

SHA256
a0a4a269edf6a4d92560369e8f619e5d12913ed774684c24969da2f6a4fc1534

SHA512
fe410f84eee3040e1a0a1e0f12e43354c186d0e09fed3be89633c1eacee386962934e7e5b7dfce9e707c375be56f7fd4989f73c6b05591ee195d69ab89cbae4e

Download Submit
\Users\Admin\AppData\Local\Temp\lyibz.exe

Filesize
203KB

MD5
5d987e6ddb998d6580b4a92e7580c543

SHA1
bb85c1f8989886ba89c038329371b6911ea0ba0a

SHA256
a9492c401af3b30f4c130154c55a22006d43d918b37431dccd888f39adc9c1ce

SHA512
fdf488b83c807594e8c694548eb01c927ffb3cf54854b465eed38c6c0dcc7818ddba7824ccbf1d20c1df00e7be11514481a9705f712932e3eb8bb5a44af252d1

Download Submit
memory/1968-50-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1968-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1968-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1968-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2344-43-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2344-28-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2344-44-0x0000000003DC0000-0x0000000003E5F000-memory.dmp

Filesize
636KB

Download
memory/2344-22-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2344-24-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2364-25-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2364-12-0x0000000002680000-0x000000000271B000-memory.dmp

Filesize
620KB

Download
memory/2364-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2364-13-0x0000000002680000-0x000000000271B000-memory.dmp

Filesize
620KB

Download
memory/2364-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing