urelas | c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4

General

Target

c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
Size

868KB
MD5

e114ad9017c59a2e93648082880950ea
SHA1

009b0747726a454101fec16dbbaaa840a9e454c7
SHA256

c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4
SHA512

bc304bf8ec18f84062e31e5d1cf6108c1ae7c1fbab71ff8309d24bc0d4f0852da95a93a07f498ddfef91933f4ca1aa5c06ef1c20fb48dc0e4fd5a46e7cf1abb3
SSDEEP

12288:BO2QLxzVhdf+5utolnQux+GthLM2X4hVc+5Y+vWcg4RalJaCvHl0h9RMXlRkb:BaLza5uDugu/CIwLkJlH2h9a16b

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2460	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
544	apcul.exe
2392	mipox.exe

Loads dropped DLL 2 IoCs

pid	Process
2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
544	apcul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apcul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mipox.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe
2392	mipox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
Token: SeIncBasePriorityPrivilege	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
Token: 33	544	apcul.exe
Token: SeIncBasePriorityPrivilege	544	apcul.exe
Token: 33	2392	mipox.exe
Token: SeIncBasePriorityPrivilege	2392	mipox.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 544	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	30
PID 2992 wrote to memory of 544	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	30
PID 2992 wrote to memory of 544	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	30
PID 2992 wrote to memory of 544	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	30
PID 2992 wrote to memory of 2460	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	31
PID 2992 wrote to memory of 2460	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	31
PID 2992 wrote to memory of 2460	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	31
PID 2992 wrote to memory of 2460	2992	c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe	31
PID 544 wrote to memory of 2392	544	apcul.exe	34
PID 544 wrote to memory of 2392	544	apcul.exe	34
PID 544 wrote to memory of 2392	544	apcul.exe	34
PID 544 wrote to memory of 2392	544	apcul.exe	34

C:\Users\Admin\AppData\Local\Temp\c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
"C:\Users\Admin\AppData\Local\Temp\c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\apcul.exe
  "C:\Users\Admin\AppData\Local\Temp\apcul.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\mipox.exe
    "C:\Users\Admin\AppData\Local\Temp\mipox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
3d19ac93e1427854771f41ffc2c87036

SHA1
7d3f061bb9608e83c0e3e201d7ea2b1d68e0a81b

SHA256
ba69b131b863c2b2dee0f7d022020aa0715d53f69e671e2392c10c92f085623e

SHA512
c3a0b301122d7d602f83d4581891c4a1cf1fac965f5fe67eff7ef7d85e64d92c75a00ee60cd7e80ced0e66e138f98a0bcc092659d5afbdfbed2bf252d1ce0102

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ecaedc811c74811a7d94eb21bcd55271

SHA1
51eb1fe62b38b4d921d3bca10e9510075b6af84b

SHA256
cd877bca475e76b68615b2090a61299bfe5e14b20a16ee878cb850cd615d2e3e

SHA512
378c86fc4e42438cfaa36d740ae98eaa775ab6807907e56800759b924f3e2459617c979ac5cae887b254faba2f54c39b138b9fbad83582a3cc1599046ff26e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\mipox.exe

Filesize
294KB

MD5
bc41a7f6c3cf326c5bba41439352f083

SHA1
3d07620f959ef1c7898a5dae72c0d1faed17752c

SHA256
ed7f37a375c617d19e7d06086a0f7e4c590bcde500cfb885dfb24eb4e5c53346

SHA512
b3dfeb6848128f42a6154c9ae500a774d62994905d3a1fe4b4efabd49ff03c59ca4f018c7ff985099b4172edfb8bec4b5ebe2c81df4bfa44970430a189fe3cda

Download Submit
\Users\Admin\AppData\Local\Temp\apcul.exe

Filesize
868KB

MD5
c6c9b546933af7dc2013038347635d7d

SHA1
1c62a44e8294b39e9d2e2d1dd3f3d33ada7497a9

SHA256
d384f27b4431ba8fd1cecaa982a03c6db662abb7f38997bd2f7938b1b3cf0b9f

SHA512
55ad20f171f4e9a9d34c8cb3c8ad2ec5b41ab72f508fef46373c0f92a9f4c6ed29981cc693e10297e4b5cf4fc1e0b14e999aef666548905b6514a58b1e69cdfb

Download Submit
memory/544-24-0x0000000000850000-0x0000000000A29000-memory.dmp

Filesize
1.8MB

Download
memory/544-43-0x0000000000850000-0x0000000000A29000-memory.dmp

Filesize
1.8MB

Download
memory/544-44-0x0000000003960000-0x00000000039F3000-memory.dmp

Filesize
588KB

Download
memory/544-19-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/544-18-0x0000000000850000-0x0000000000A29000-memory.dmp

Filesize
1.8MB

Download
memory/2392-45-0x0000000000A90000-0x0000000000B23000-memory.dmp

Filesize
588KB

Download
memory/2392-40-0x0000000000A90000-0x0000000000B23000-memory.dmp

Filesize
588KB

Download
memory/2392-47-0x0000000000A90000-0x0000000000B23000-memory.dmp

Filesize
588KB

Download
memory/2392-48-0x0000000000A90000-0x0000000000B23000-memory.dmp

Filesize
588KB

Download
memory/2992-21-0x0000000000830000-0x0000000000A09000-memory.dmp

Filesize
1.8MB

Download
memory/2992-0-0x0000000000830000-0x0000000000A09000-memory.dmp

Filesize
1.8MB

Download
memory/2992-9-0x00000000030B0000-0x0000000003289000-memory.dmp

Filesize
1.8MB

Download
memory/2992-1-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing