urelas | de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44

General

Target

de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
Size

783KB
MD5

e94236efe1e7dc275f86002ac3511d78
SHA1

ffeca79e40d2dec8e662fa5d44030037edbf4c62
SHA256

de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44
SHA512

a012039268b9208e5239703b3f709f5b236bf3130e3c40dab7cb09e41bc3ba71721fe5edf99dc4aa3f793e190b92fb85feb55a4f08a07ce9467031647c0e9fc1
SSDEEP

12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1v:YA4Ya1fQzPPSnPFqWtTJK9DIMTW88

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cicuo.exe

Executes dropped EXE 2 IoCs

pid	Process
3952	cicuo.exe
4360	yqdor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqdor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cicuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe
4360	yqdor.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4360	yqdor.exe
Token: SeIncBasePriorityPrivilege	4360	yqdor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3952	3588	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	83
PID 3588 wrote to memory of 3952	3588	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	83
PID 3588 wrote to memory of 3952	3588	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	83
PID 3588 wrote to memory of 2624	3588	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	84
PID 3588 wrote to memory of 2624	3588	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	84
PID 3588 wrote to memory of 2624	3588	de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe	84
PID 3952 wrote to memory of 4360	3952	cicuo.exe	103
PID 3952 wrote to memory of 4360	3952	cicuo.exe	103
PID 3952 wrote to memory of 4360	3952	cicuo.exe	103

C:\Users\Admin\AppData\Local\Temp\de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe
"C:\Users\Admin\AppData\Local\Temp\de0485a67a9ed8ee5692cc76fe8deca22536ac1171715a54b1eca61b59ba6c44.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\cicuo.exe
  "C:\Users\Admin\AppData\Local\Temp\cicuo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\yqdor.exe
    "C:\Users\Admin\AppData\Local\Temp\yqdor.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
46718bcd688f430148c9a02582c84ca1

SHA1
4a0afb5cfb1592b567b9085c21827c0a37e9aecf

SHA256
ddd6fa00bda162e622cce7711e42a2d98739b31b15dfd053c06caa16a4489a58

SHA512
b6d50e2ea9273fc2df71e8a6007ab40f8946581d9fde82b154aaf4cf4e9d5d52ce0c641a9d5f759c8a37419cb48f5346f274758f9936e648f18b58a78700773e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cicuo.exe

Filesize
783KB

MD5
285f7d9d9c47386f4d2ddeac55bf3e6e

SHA1
ceb087e755cc5079b76010bb96c668c61119caaa

SHA256
e199f85b9ffacbf19c265e9f58cd588227deb92e8be85d3faa17cf0df6cc8214

SHA512
7026314e28939a9a0657d2eb576dc9e54e0bf2b1919d78912b5a0507ed2d99e5aaf6db76e4ee014626b09f0cbf5bd72711ebbdf9604f514cce072c8d4ef67b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f95b3b0c0fe54f94813a279dfbc71a92

SHA1
8deec282f88aa8f06e5818bfb60a36715c705100

SHA256
5ff0d702c806af13f4fa3ae037a8de4c63860163aec004a93af1dd16cf16d585

SHA512
e2d1c49febb8791ce309b87c3aa88b131957e594a2ddfb87caea10533531588bcc3ddbd9113b5c2bbc24cf293366c10ee23dc0304eec77488101702813e60cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqdor.exe

Filesize
156KB

MD5
39ecadf06352e4a2d1bd542c0c1aa51b

SHA1
b00e611baea98a147ef1d6c0d0ceaee94b8ebf65

SHA256
0d91a76208d901b330213126309132879fb2044cb261f3a6331d3319992f3c06

SHA512
a2c2fb4b213cfe0cf92108591b0dee1a753dde12ba87ad868c556be8c3eac9899efcf01f7e262ef5f71497c3165272ff1b1722358b12587e4d9942e005cd0404

Download Submit
memory/3588-0-0x0000000000160000-0x0000000000229000-memory.dmp

Filesize
804KB

Download
memory/3588-14-0x0000000000160000-0x0000000000229000-memory.dmp

Filesize
804KB

Download
memory/3952-17-0x0000000000A80000-0x0000000000B49000-memory.dmp

Filesize
804KB

Download
memory/3952-12-0x0000000000A80000-0x0000000000B49000-memory.dmp

Filesize
804KB

Download
memory/3952-28-0x0000000000A80000-0x0000000000B49000-memory.dmp

Filesize
804KB

Download
memory/4360-27-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/4360-26-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4360-31-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/4360-30-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4360-32-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing