urelas | de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44

General

Target

de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
Size

783KB
MD5

e94236efe1e7dc275f86002ac3511d78
SHA1

ffeca79e40d2dec8e662fa5d44030037edbf4c62
SHA256

de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44
SHA512

a012039268b9208e5239703b3f709f5b236bf3130e3c40dab7cb09e41bc3ba71721fe5edf99dc4aa3f793e190b92fb85feb55a4f08a07ce9467031647c0e9fc1
SSDEEP

12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1v:YA4Ya1fQzPPSnPFqWtTJK9DIMTW88

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1344	dosuj.exe
1644	edgui.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
1344	dosuj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dosuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edgui.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe
1644	edgui.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1644	edgui.exe
Token: SeIncBasePriorityPrivilege	1644	edgui.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1344	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	31
PID 2064 wrote to memory of 1344	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	31
PID 2064 wrote to memory of 1344	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	31
PID 2064 wrote to memory of 1344	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	31
PID 2064 wrote to memory of 2012	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	32
PID 2064 wrote to memory of 2012	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	32
PID 2064 wrote to memory of 2012	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	32
PID 2064 wrote to memory of 2012	2064	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	32
PID 1344 wrote to memory of 1644	1344	dosuj.exe	35
PID 1344 wrote to memory of 1644	1344	dosuj.exe	35
PID 1344 wrote to memory of 1644	1344	dosuj.exe	35
PID 1344 wrote to memory of 1644	1344	dosuj.exe	35

C:\Users\Admin\AppData\Local\Temp\de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
"C:\Users\Admin\AppData\Local\Temp\de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\dosuj.exe
  "C:\Users\Admin\AppData\Local\Temp\dosuj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\edgui.exe
    "C:\Users\Admin\AppData\Local\Temp\edgui.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
46718bcd688f430148c9a02582c84ca1

SHA1
4a0afb5cfb1592b567b9085c21827c0a37e9aecf

SHA256
ddd6fa00bda162e622cce7711e42a2d98739b31b15dfd053c06caa16a4489a58

SHA512
b6d50e2ea9273fc2df71e8a6007ab40f8946581d9fde82b154aaf4cf4e9d5d52ce0c641a9d5f759c8a37419cb48f5346f274758f9936e648f18b58a78700773e

Download Submit
C:\Users\Admin\AppData\Local\Temp\edgui.exe

Filesize
156KB

MD5
a2ec7e8fce4e22c2d2116eda84c9af5c

SHA1
30d6046754877f0e2aae5883b8eb25032b344eec

SHA256
11b1c1e527b0c1a6c35f532d597a4ce74a4aa3064ea579f2c006301c5a202654

SHA512
0997b132cd2b29c751475cfaed9ec7df11cf3db6eb2d660ca3564bff99b38c8d05e424625f631b4c5a915f157c6835f9d7430f4e3eb5f1d60eddb8f406f36b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
576ccaec1e922e886a20c6b2b77844c1

SHA1
bfb74ab1adc8f357387b06aed6a97157f609bb03

SHA256
087a0d84811c298ed23afeef135b90e28d500907bbb51ada69f3736c836f1af2

SHA512
b0d891c8cc7a2909badb8848e5d42d862cbc34b57bb7b609bd67e183b866633b6498b31df9adb3f77d7c30cc6c4427f6e2eb1dc946485d24c040003a33f12fca

Download Submit
\Users\Admin\AppData\Local\Temp\dosuj.exe

Filesize
783KB

MD5
e6bf9c87657774f5f4997ec04c4fe483

SHA1
04fa8f519247c0bc97ceab890a8d8805501a7b78

SHA256
e6252ef90226869be6dd3c132ff029bacbb3daf2cca8d9688b2ac5d08dfca592

SHA512
1bf8305e11b10f7d013de56fde8c24d7bafb5012968a82241bc6b5edd5c4a55a338376b6450b0366ebdb59802737562ceabebbce1915000be81290520e0b8472

Download Submit
memory/1344-26-0x0000000003310000-0x000000000339F000-memory.dmp

Filesize
572KB

Download
memory/1344-20-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/1344-28-0x0000000000E20000-0x0000000000EE9000-memory.dmp

Filesize
804KB

Download
memory/1644-29-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1644-31-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1644-32-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2064-17-0x0000000000FC0000-0x0000000001089000-memory.dmp

Filesize
804KB

Download
memory/2064-6-0x0000000002E40000-0x0000000002F09000-memory.dmp

Filesize
804KB

Download
memory/2064-0-0x0000000000FC0000-0x0000000001089000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing