urelas | 46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5f

General

Target

46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Size

868KB
MD5

dcbea4764827be169cfbf2a872b2b580
SHA1

ace7f57494fd36fce25e6f35abcd9a666a1cabbb
SHA256

46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5f
SHA512

67ba26a42d71c4b43609348f6b35f5522964acc1202c2c8d2f63fd971479485966c1e9b1f0345ea3e917c67e3db7fc4cfb5bc3c98c06cae48c7b66dfdc6d0721
SSDEEP

12288:BO2QLxzVhdf+5utolnQux+GthLM2X4hVc+5Y+vWcg4RalJaCvHl0h9RMXlRkh:BaLza5uDugu/CIwLkJlH2h9a16h

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	gugup.exe
2260	wesan.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
2524	gugup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wesan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gugup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe
2260	wesan.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Token: SeIncBasePriorityPrivilege	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Token: 33	2524	gugup.exe
Token: SeIncBasePriorityPrivilege	2524	gugup.exe
Token: 33	2260	wesan.exe
Token: SeIncBasePriorityPrivilege	2260	wesan.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2524	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	30
PID 2272 wrote to memory of 2524	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	30
PID 2272 wrote to memory of 2524	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	30
PID 2272 wrote to memory of 2524	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	30
PID 2272 wrote to memory of 2948	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	31
PID 2272 wrote to memory of 2948	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	31
PID 2272 wrote to memory of 2948	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	31
PID 2272 wrote to memory of 2948	2272	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	31
PID 2524 wrote to memory of 2260	2524	gugup.exe	34
PID 2524 wrote to memory of 2260	2524	gugup.exe	34
PID 2524 wrote to memory of 2260	2524	gugup.exe	34
PID 2524 wrote to memory of 2260	2524	gugup.exe	34

C:\Users\Admin\AppData\Local\Temp\46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
"C:\Users\Admin\AppData\Local\Temp\46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\gugup.exe
  "C:\Users\Admin\AppData\Local\Temp\gugup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\wesan.exe
    "C:\Users\Admin\AppData\Local\Temp\wesan.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
342B

MD5
63088fffb14ec849a7637127bf47dfd0

SHA1
2b4c42fe2cea53c1a1c397df280260c38a3888e9

SHA256
0aab6af0e1cdc6ffdbf8fcbb7b443798bcafe640778a40d8ee1c50c491b82b29

SHA512
46223f82e0ae788928d0bc67a3957f09f0636f85806551424717d80c2cda494e441ba904a6631f6915742e6b82e75e70e3d8cb74ee8cf402ffca05511566b460

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ea125d87f2227883af714d61fab8c778

SHA1
261a3eab3a0c4c2ff99f38d95fbbcadb0c39078d

SHA256
4c17f8bb5fd87d8b2929326523ab3fa4636de7037b1250555acee482116f64d5

SHA512
0071df451e950537bfdf02daebd79c9db25d1cf2e5ac716785096b504932d5226894b4c12cfb57a7f352a75c7950e12f18c29944e075edf9c66026e6dcc69589

Download Submit
\Users\Admin\AppData\Local\Temp\gugup.exe

Filesize
868KB

MD5
3f8a1e1e55f4c8d0162d10cb5d85a325

SHA1
cf28b6bb48a567c148055d65eaa704c49300b584

SHA256
f2661633eae99edc6051f33c48c168723c11826cc0e231dfefc5570837ed550f

SHA512
8f50c0a02c6f0bbf1488ac56bb714c967fd917d5a70ec79cfd2f2c021b6e4a0c7ed57688ea3f0a4b516187a2e5129207a888903e44e0717b6d492989b3b0b935

Download Submit
\Users\Admin\AppData\Local\Temp\wesan.exe

Filesize
294KB

MD5
069d53f63e83eeb0f77c65715cb8bbe7

SHA1
ab0cea0986620c30f0a16f100e7ca2f3c93906a9

SHA256
e2dc3708f103aac3b6874d97b9c1d3b3488579d4ad84f7e08129268dac9a2c9b

SHA512
9c3b0c2ac8ddc9aa449d26f9d801475884295eee2ed6064b5431c169030a6359ad2e85b0f63c56eef79baa6d708a476ffa19a013bb3caf588ca73d11649f1a7a

Download Submit
memory/2260-41-0x0000000000210000-0x00000000002A3000-memory.dmp

Filesize
588KB

Download
memory/2260-48-0x0000000000210000-0x00000000002A3000-memory.dmp

Filesize
588KB

Download
memory/2260-47-0x0000000000210000-0x00000000002A3000-memory.dmp

Filesize
588KB

Download
memory/2260-45-0x0000000000210000-0x00000000002A3000-memory.dmp

Filesize
588KB

Download
memory/2272-0-0x0000000000930000-0x0000000000B09000-memory.dmp

Filesize
1.8MB

Download
memory/2272-9-0x0000000003480000-0x0000000003659000-memory.dmp

Filesize
1.8MB

Download
memory/2272-1-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2272-19-0x0000000000930000-0x0000000000B09000-memory.dmp

Filesize
1.8MB

Download
memory/2524-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2524-44-0x0000000001200000-0x00000000013D9000-memory.dmp

Filesize
1.8MB

Download
memory/2524-37-0x0000000003110000-0x00000000031A3000-memory.dmp

Filesize
588KB

Download
memory/2524-24-0x0000000001200000-0x00000000013D9000-memory.dmp

Filesize
1.8MB

Download
memory/2524-20-0x0000000001200000-0x00000000013D9000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing