urelas | 9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188

General

Target

9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Size

298KB
MD5

c67a987ab822839bc87ad45a05a02c5c
SHA1

7c28f3f391e504d0ff3c181cdcc7a01e93d566b6
SHA256

9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188
SHA512

f8f4a06efa8f0d3353a6ca716a8e75cc63d7971915a6b59312b2214cdd7cdb5e1b1320dae5cf7701a065de961d111d550bcdfbdc1dd8a81ffc284e161fc65e79
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXS7:Y4npK2y8zzkGHVqoq/gKU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2144	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2500	puwyy.exe
2788	lebeb.exe

Loads dropped DLL 3 IoCs

pid	Process
1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
2500	puwyy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puwyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lebeb.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe
2788	lebeb.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Token: SeIncBasePriorityPrivilege	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
Token: 33	2500	puwyy.exe
Token: SeIncBasePriorityPrivilege	2500	puwyy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2500	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 1852 wrote to memory of 2500	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 1852 wrote to memory of 2500	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 1852 wrote to memory of 2500	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	31
PID 1852 wrote to memory of 2144	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	32
PID 1852 wrote to memory of 2144	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	32
PID 1852 wrote to memory of 2144	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	32
PID 1852 wrote to memory of 2144	1852	9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe	32
PID 2500 wrote to memory of 2788	2500	puwyy.exe	35
PID 2500 wrote to memory of 2788	2500	puwyy.exe	35
PID 2500 wrote to memory of 2788	2500	puwyy.exe	35
PID 2500 wrote to memory of 2788	2500	puwyy.exe	35

C:\Users\Admin\AppData\Local\Temp\9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe
"C:\Users\Admin\AppData\Local\Temp\9a78d87bc5cb2fbb2aeceba7681b58f6dbfd1eb1df6ecb40c073d1993b643188.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\puwyy.exe
  "C:\Users\Admin\AppData\Local\Temp\puwyy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\lebeb.exe
    "C:\Users\Admin\AppData\Local\Temp\lebeb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
39098ca9359155e9d3ad9ac51cc6a2aa

SHA1
9dbfc360fe7ee82f19bd2630305db83c0784392e

SHA256
37ed72b787227ade5095f592ddb503e1409cc6a194e95ec7b070ce24b10467f1

SHA512
4e38255b68f06de799a034b39c900d3d35d82778bb8b6b8311fc006820556ec610cd8546ffe2e75ccad5d5effcaa6d84009b68f919a40b4c84ac5e2c5f940e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
da5f9760f3e14774a6bf4e410791e2d1

SHA1
483f2a6e9cdcbf0e11d764902e487971b131b422

SHA256
2bbdff724d0f9f408b0ed9e330a5ebbaa0d2016910f38f31e1f7e71e81b6c621

SHA512
b6b87952c2626f7ea66a7094b85406087654fb9f839c81b374ed9e02991c0a97b041226ee4192a554667fd26e7f43f68dbc4cee2857dd26c8d0df754efcffa92

Download Submit
\Users\Admin\AppData\Local\Temp\lebeb.exe

Filesize
203KB

MD5
9fa29042bb44f10fb1c6d7fa7f6ff413

SHA1
1334232705d56b3997fea5334f2c3ac2dcf9f24d

SHA256
9e280eed5542ec6bb6e6c4ae64556831daee42eb07e552ad1a7b25d4af5d9472

SHA512
c533a2a4f79891544281f1793449c3df6d8fe2a970ab2b22b36331b57015495868ade8cb1e1979f03f8e51fc418ba3ee8fbdd8a27fc29ffb7e4c7e57c4dde918

Download Submit
\Users\Admin\AppData\Local\Temp\puwyy.exe

Filesize
298KB

MD5
77b8bd303af9ec8cbfbe14a5a75265d8

SHA1
7d9f699ae216c6de48aca80abe9dfc98dc446538

SHA256
19fce4355a61a818e083cbd35b17b920f4557bf8f67adcebe52b53daa145e280

SHA512
f2a605ba5dbbf72f5b49d01b7fb6414d1380bfcd4810a35a39c4089c0367aa8be50d9fc77460ee0e338e5d81d2131593535c2930f701478253b287d80b78462c

Download Submit
memory/1852-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1852-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1852-12-0x0000000002030000-0x00000000020CB000-memory.dmp

Filesize
620KB

Download
memory/1852-22-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2500-25-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2500-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2500-38-0x0000000003D10000-0x0000000003DAF000-memory.dmp

Filesize
636KB

Download
memory/2500-41-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2788-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2788-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2788-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2788-47-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing