urelas | 9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1de

General

Target

9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Size

290KB
MD5

b1c6e6432ed4e567ad172e3bca531b80
SHA1

3d851436b46036ebd5c5cc094dc4d910c1ddff38
SHA256

9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1de
SHA512

95e5aed3a67352d35cc4a270bd5f94a1aa49996796160d5ad425028d064b38e85755d46515560aead79c0e3ab8c0ef46269cf6109062d0c735a651b6190561bb
SSDEEP

6144:kN43gKpDPeVvnAmZ64XMxvQ4x1OpGcm9VQl0lM/oJ4/gupw:Y4npK2y8zzkGHVqoq/gL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	xiruc.exe

Executes dropped EXE 2 IoCs

pid	Process
4424	xiruc.exe
3080	quxez.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quxez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiruc.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe
3080	quxez.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Token: SeIncBasePriorityPrivilege	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
Token: 33	4424	xiruc.exe
Token: SeIncBasePriorityPrivilege	4424	xiruc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4424	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	83
PID 3672 wrote to memory of 4424	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	83
PID 3672 wrote to memory of 4424	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	83
PID 3672 wrote to memory of 1448	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	84
PID 3672 wrote to memory of 1448	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	84
PID 3672 wrote to memory of 1448	3672	9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe	84
PID 4424 wrote to memory of 3080	4424	xiruc.exe	103
PID 4424 wrote to memory of 3080	4424	xiruc.exe	103
PID 4424 wrote to memory of 3080	4424	xiruc.exe	103

C:\Users\Admin\AppData\Local\Temp\9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe
"C:\Users\Admin\AppData\Local\Temp\9017e591dc02f900a3a792c66dc2ba81bcbff66556db76a5f9de837e42e3c1deN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\xiruc.exe
  "C:\Users\Admin\AppData\Local\Temp\xiruc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\quxez.exe
    "C:\Users\Admin\AppData\Local\Temp\quxez.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
85cf157bf270207d916c41083f7d049a

SHA1
b769fc93a7c2507e85a05b98274ae289a2be6f6c

SHA256
8586db8e45a3e53125f6cf2f98009cc2a96fa3113c2d1351d873bc7d5f9c6de7

SHA512
c330076c8e35bf1627bc3ec894d0f6a3daf345c15ad7519dcef6e1501423b7166b0d6b0f988ccba894c9154a032a41fc425fa4fe79719e9875308fed294541e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6d32e875e9f37e421a9dc263d2e8d6a1

SHA1
e17b0dccbb36f8d8ffdcf5b88e7ec6083933face

SHA256
4ae26dc0aee3662adaeb106032089e06d2764c34f3780c367be558ba7aa7aae5

SHA512
d1ac27e70163a864014dd7948899ea0323e4172b825b04c7e44b77a83e03813dfb96e2e83b24e564ed2d518db981515cbd3cdd6f207b5b4200f09c20dac94920

Download Submit
C:\Users\Admin\AppData\Local\Temp\quxez.exe

Filesize
203KB

MD5
7ee97298abfc282b2a139492c99c8ee7

SHA1
c907a2fc65ce8512c6582cb464eead541bc8d570

SHA256
6855a97e6a80f6e784fddf7cdce89f20eca0664df097f686ae1905329e675320

SHA512
2ebc9fcb764a393a76a93bc80bb8d01012ae3f220e739c6823ec48d7a7cfe59872d55e34fa46f1f9ae9cf71a78e0c2cef5a6bf0f006cce5640a219ed2a39fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiruc.exe

Filesize
290KB

MD5
d5db2127c81cec115322a1f105736705

SHA1
57b742aa0d66efedcfbcda9203886f48ecc31140

SHA256
4c15deba89768655df5068b6fd13159e45ce552e6e6baa099471fc4bc400c74a

SHA512
5cb6c32e2c4a0d084e24cb7b40371aa1113ef642b9a8b81be9b72d234628d27ab1423c21c3f681c5a94eb078baa1b85c4cd9f70071b067da2a1ee7b93d29319e

Download Submit
memory/3080-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3080-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3080-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3080-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3080-44-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/3080-40-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/3672-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3672-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3672-1-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4424-14-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4424-39-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4424-20-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4424-19-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing