urelas | 07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f

General

Target

07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Size

299KB
MD5

961734c10247ab1d4672d4956693ec99
SHA1

3651660af03d37f27af50e2b002cb614c0b619cd
SHA256

07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f
SHA512

7ff8d2bd5d75ea18697f11bd8e9bf80cddccf5bb9960e55caad550a680021445c08da1eac0550dbd285e7ec5e4d99084eeeb1dc5519dd4fe0bdd4c96030d53d3
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXSz:Y4npK2y8zzkGHVqoq/gK8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	oqqef.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	oqqef.exe
2696	geojx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oqqef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geojx.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe
2696	geojx.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Token: SeIncBasePriorityPrivilege	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
Token: 33	2980	oqqef.exe
Token: SeIncBasePriorityPrivilege	2980	oqqef.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 2980	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	85
PID 556 wrote to memory of 2980	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	85
PID 556 wrote to memory of 2980	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	85
PID 556 wrote to memory of 3380	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	86
PID 556 wrote to memory of 3380	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	86
PID 556 wrote to memory of 3380	556	07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe	86
PID 2980 wrote to memory of 2696	2980	oqqef.exe	102
PID 2980 wrote to memory of 2696	2980	oqqef.exe	102
PID 2980 wrote to memory of 2696	2980	oqqef.exe	102

C:\Users\Admin\AppData\Local\Temp\07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe
"C:\Users\Admin\AppData\Local\Temp\07a7f7132bb4f75c48b174119c2be06ff590bd686680f0245900a9adc001a60f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\oqqef.exe
  "C:\Users\Admin\AppData\Local\Temp\oqqef.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\geojx.exe
    "C:\Users\Admin\AppData\Local\Temp\geojx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a769c58c8df0b8578bc4a342b6c7b57d

SHA1
e94d8dd0360677be5e733bfe6b91068497e7667d

SHA256
732e1de266dc8d88c72a29824dc47b0b10a2fa2dbf0d344085ce68a8bdeaf5ea

SHA512
a1e45babd45b375f22792eb50e60b0ea6d10ba5bd1605346dcdba3ff1d995fde8295d964064abb652d2e73f22a1ff5d656d02fb2fc470a12251333ea182c9d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\geojx.exe

Filesize
203KB

MD5
5c7bb0b74e35b679143242c5ca90edb9

SHA1
0ad763798151adb7e77e87c26b4ae81e425a7939

SHA256
4782199a7cf51b05a9ffd28996cdb391f18e3ea51728f968378594a86cc01170

SHA512
8a8f674e155d1a6c8a1582cdf797618dd7477b44f6b9f9685d2686381453a10cb380f64d47f6b6b6b86a2d5757983b707d90f68e0c54d25a733fd97dcb50088e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0c2ffdb30fc7e8b9f41f0801ca8a8b9f

SHA1
d5ac5697e59dfcbf7288576b83f146555c2224ad

SHA256
f4edd009eeba6ac81cd2413c8c95e9aa7fea6db914fbd5cab945aa258ad72c99

SHA512
48d97143a157a7315913daa79094f3c8946003c3391e6c8e13df931049609a47af1e1da513e9cd4a4d6eb5ed66c8990af8fade04d549c8e7059619cb96899d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqqef.exe

Filesize
299KB

MD5
2cdd9673350a6f40d9fe85b92547e892

SHA1
ae2f78f78538d40a3face9a088301be471261d37

SHA256
293e691ceda329b331e43d7fa4a8e1403dde13a7d2bcbe8426eac9f7ee8c3cce

SHA512
490feb3d0aa96e7b1b8fbd26ce6dc6181dcb4a215b3f77db755f0d960a92174273658e7922403b9be38036fed23c462ace08992998468032764c2cdfffd5d538

Download Submit
memory/556-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/556-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/556-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2696-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2696-37-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/2696-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2696-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2696-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2980-19-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2980-13-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2980-39-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing