urelas | 9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1de

General

Target

9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Size

290KB
MD5

b1c6e6432ed4e567ad172e3bca531b80
SHA1

3d851436b46036ebd5c5cc094dc4d910c1ddff38
SHA256

9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1de
SHA512

95e5aed3a67352d35cc4a270bd5f94a1aa49996796160d5ad425028d064b38e85755d46515560aead79c0e3ab8c0ef46269cf6109062d0c735a651b6190561bb
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupw:Y4npK2y8zzkGHVqoq/gL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1904	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1216	coisx.exe
2088	mujea.exe

Loads dropped DLL 3 IoCs

pid	Process
1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
1216	coisx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coisx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mujea.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe
2088	mujea.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Token: SeIncBasePriorityPrivilege	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Token: 33	1216	coisx.exe
Token: SeIncBasePriorityPrivilege	1216	coisx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1216	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	30
PID 1680 wrote to memory of 1216	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	30
PID 1680 wrote to memory of 1216	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	30
PID 1680 wrote to memory of 1216	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	30
PID 1680 wrote to memory of 1904	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	31
PID 1680 wrote to memory of 1904	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	31
PID 1680 wrote to memory of 1904	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	31
PID 1680 wrote to memory of 1904	1680	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	31
PID 1216 wrote to memory of 2088	1216	coisx.exe	34
PID 1216 wrote to memory of 2088	1216	coisx.exe	34
PID 1216 wrote to memory of 2088	1216	coisx.exe	34
PID 1216 wrote to memory of 2088	1216	coisx.exe	34

C:\Users\Admin\AppData\Local\Temp\9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
"C:\Users\Admin\AppData\Local\Temp\9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\coisx.exe
  "C:\Users\Admin\AppData\Local\Temp\coisx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\mujea.exe
    "C:\Users\Admin\AppData\Local\Temp\mujea.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
85cf157bf270207d916c41083f7d049a

SHA1
b769fc93a7c2507e85a05b98274ae289a2be6f6c

SHA256
8586db8e45a3e53125f6cf2f98009cc2a96fa3113c2d1351d873bc7d5f9c6de7

SHA512
c330076c8e35bf1627bc3ec894d0f6a3daf345c15ad7519dcef6e1501423b7166b0d6b0f988ccba894c9154a032a41fc425fa4fe79719e9875308fed294541e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
deca72cc995877b61750acdc045673c3

SHA1
b62d08b9ae609cb3f57cf298cd5b8a82a761f127

SHA256
dfd7043156ca22cc997bc6276c884129e8a9f6bffc2b0aef0dce1390e1ba3ee0

SHA512
7084d1dc7c57add139166b4d72672cc67a8b84e6a5b544c20f9d2dcd4e5c0d01ab82da6f40c8cf74380507b7fba75dd6d0ae3806db6e786fee80e8a023fca8fa

Download Submit
\Users\Admin\AppData\Local\Temp\coisx.exe

Filesize
290KB

MD5
7e10a582e3643ccc54ca35e1b4b73d75

SHA1
5ecfc91c9007746ad7c326c9c73c53381c21882c

SHA256
b02f04f5ff166893a2692560ab66cd52063b1fe0d44f8c407d15bf8abb2e8b93

SHA512
50585ce9c7104072ccf58eb7e7f908cf9fed0349c3dde7fb478f7191999c4ddcf1d86175c47db09ad4d880fce74845991430eacf7f83e21d811bb838e35d9c48

Download Submit
\Users\Admin\AppData\Local\Temp\mujea.exe

Filesize
203KB

MD5
118d3c888a0c0cd18d427edd3eef584b

SHA1
5c4a768fab1dee57310d36dacbdead2536d9fc9f

SHA256
d322f47580a637d8b4a2175337789dabd2a117e87a2a8e373998eb40006bcd3f

SHA512
4b7a134250e2da15f20e8e12bc1c45d46627cfe4f161d8aa8de45ef0d180bfd11e3c7ae983984d1cc0a6d6abd4578d7d03ba185fdffc63841ef64101b5efbc73

Download Submit
memory/1216-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1216-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1216-27-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1216-43-0x0000000003C10000-0x0000000003CAF000-memory.dmp

Filesize
636KB

Download
memory/1216-42-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1680-12-0x0000000002000000-0x000000000209B000-memory.dmp

Filesize
620KB

Download
memory/1680-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1680-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1680-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2088-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2088-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2088-47-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2088-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing