urelas | 46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5f

General

Target

46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Size

868KB
MD5

dcbea4764827be169cfbf2a872b2b580
SHA1

ace7f57494fd36fce25e6f35abcd9a666a1cabbb
SHA256

46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5f
SHA512

67ba26a42d71c4b43609348f6b35f5522964acc1202c2c8d2f63fd971479485966c1e9b1f0345ea3e917c67e3db7fc4cfb5bc3c98c06cae48c7b66dfdc6d0721
SSDEEP

12288:BO2QLxzVhdf+5utolnQux+GthLM2X4hVc+5Y+vWcg4RalJaCvHl0h9RMXlRkh:BaLza5uDugu/CIwLkJlH2h9a16h

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ujhit.exe

Executes dropped EXE 2 IoCs

pid	Process
1620	ujhit.exe
1540	zelom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujhit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zelom.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe
1540	zelom.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Token: SeIncBasePriorityPrivilege	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
Token: 33	1620	ujhit.exe
Token: SeIncBasePriorityPrivilege	1620	ujhit.exe
Token: 33	1540	zelom.exe
Token: SeIncBasePriorityPrivilege	1540	zelom.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1620	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	85
PID 3412 wrote to memory of 1620	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	85
PID 3412 wrote to memory of 1620	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	85
PID 3412 wrote to memory of 4916	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	86
PID 3412 wrote to memory of 4916	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	86
PID 3412 wrote to memory of 4916	3412	46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe	86
PID 1620 wrote to memory of 1540	1620	ujhit.exe	107
PID 1620 wrote to memory of 1540	1620	ujhit.exe	107
PID 1620 wrote to memory of 1540	1620	ujhit.exe	107

C:\Users\Admin\AppData\Local\Temp\46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe
"C:\Users\Admin\AppData\Local\Temp\46ae96d38b8c780dd42854733a45b0c9c024e215b2c44d738b1b7b2861378c5fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\ujhit.exe
  "C:\Users\Admin\AppData\Local\Temp\ujhit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\zelom.exe
    "C:\Users\Admin\AppData\Local\Temp\zelom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
342B

MD5
63088fffb14ec849a7637127bf47dfd0

SHA1
2b4c42fe2cea53c1a1c397df280260c38a3888e9

SHA256
0aab6af0e1cdc6ffdbf8fcbb7b443798bcafe640778a40d8ee1c50c491b82b29

SHA512
46223f82e0ae788928d0bc67a3957f09f0636f85806551424717d80c2cda494e441ba904a6631f6915742e6b82e75e70e3d8cb74ee8cf402ffca05511566b460

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
be902b0ad885fb7293d850895714e6da

SHA1
165bf1a12b1dd75182f8d0c7babdf95eb0f41365

SHA256
2d6b62a55111b6f0687a208a016caa6e281339dfc2760546a1c04d48a100a286

SHA512
23fde8c52366be34e88d9471f161e46f8b0033c6e998f795dcdf90afa6111f16bc6178eee80186f367697e5b76d880d5d48b62a54e933a3cfbc1a8c1967107c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujhit.exe

Filesize
868KB

MD5
6bd10de67b57edc3b6fc3d3d0be3490e

SHA1
4b5ff2f629aa70338300bd96eace6ab0eb18ace3

SHA256
3f9d9ba89751691f7493bf6b269e389b54928bda1efd237408bfa42b6857261c

SHA512
b16e64564fdfb67c3fbb68b3bdefa881cb05fb6ab8433008675c94fd7fd88f901cd5b5df4e67356caaa0a52c52daf212de8c7b6752a712284b8e59f278677c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zelom.exe

Filesize
294KB

MD5
6419520988a2631cd5cf018f6f825e70

SHA1
ce01b06148f3587e6bc07bef940b9c292298c46d

SHA256
54c9c8d27f7e0da2b8eb46483d46b272257106a9ccbdca4f592a2497d5e455ba

SHA512
46f221d0020c8693b53daf3e537d0f76082a04fd2aa258eaedf29f3c3b9a1326af140671b78e64453ef4647eb28b16f3a07fc3f81cc1911b93344d61fe6e2414

Download Submit
memory/1540-46-0x0000000000250000-0x00000000002E3000-memory.dmp

Filesize
588KB

Download
memory/1540-45-0x0000000000250000-0x00000000002E3000-memory.dmp

Filesize
588KB

Download
memory/1540-39-0x0000000000250000-0x00000000002E3000-memory.dmp

Filesize
588KB

Download
memory/1540-43-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1540-37-0x0000000000250000-0x00000000002E3000-memory.dmp

Filesize
588KB

Download
memory/1620-20-0x00000000008E0000-0x0000000000AB9000-memory.dmp

Filesize
1.8MB

Download
memory/1620-42-0x00000000008E0000-0x0000000000AB9000-memory.dmp

Filesize
1.8MB

Download
memory/1620-14-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1620-10-0x00000000008E0000-0x0000000000AB9000-memory.dmp

Filesize
1.8MB

Download
memory/3412-0-0x0000000000D80000-0x0000000000F59000-memory.dmp

Filesize
1.8MB

Download
memory/3412-17-0x0000000000D80000-0x0000000000F59000-memory.dmp

Filesize
1.8MB

Download
memory/3412-1-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing