urelas | 6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3

General

Target

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
Size

332KB
MD5

9005adf6dc2001ebe4b8b45ccae3c8b0
SHA1

1338d6153061783232f99e6944b6144a4835a2e6
SHA256

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3
SHA512

933431cf66acc4155c510ecd6b2603aecf4f757da8335edacf0c4e8812c72e52387479c645e6bd6b4d69c786f5903fe18e6b0f807edf9321669525ae704620e7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exebaonf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	baonf.exe

Executes dropped EXE 2 IoCs

Processes:

baonf.exetogiu.exe

pid process

2464 baonf.exe
3668 togiu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2464	baonf.exe
3668	togiu.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exebaonf.execmd.exetogiu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baonf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	togiu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

togiu.exe

pid	process
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe
3668	togiu.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exebaonf.exe

description	pid	process	target process
PID 984 wrote to memory of 2464	984	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	baonf.exe
PID 984 wrote to memory of 2464	984	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	baonf.exe
PID 984 wrote to memory of 2464	984	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	baonf.exe
PID 984 wrote to memory of 3900	984	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 984 wrote to memory of 3900	984	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 984 wrote to memory of 3900	984	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2464 wrote to memory of 3668	2464	baonf.exe	togiu.exe
PID 2464 wrote to memory of 3668	2464	baonf.exe	togiu.exe
PID 2464 wrote to memory of 3668	2464	baonf.exe	togiu.exe

C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
"C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\baonf.exe
  "C:\Users\Admin\AppData\Local\Temp\baonf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\togiu.exe
    "C:\Users\Admin\AppData\Local\Temp\togiu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
710943b4bc4cb3508979b0ff0dec9782

SHA1
bcffaf0cc3dc993ab846ec5de6f880721fb8f2d5

SHA256
d8b9e49cc44f652a3daebde2f6d26059cae4706e59d53500dbf5074cfcc4ce04

SHA512
13622271bf849268c7c24a56ddd17ad91a5ce8085f32a1b01c8ee324b642880066a03dfbc04c4c44bb94fb22ff22af0e1765d87fe8f8322a8bd54f6d51051b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\baonf.exe

Filesize
332KB

MD5
45c77cbfc171139b9611f69718cb79a6

SHA1
277cc832ec650085d0ee75ff3c82b02f9a1c9538

SHA256
086f4c116f4ad73cf0b3b318616f8ef832ec3e2c0c832253e59521828e1844c3

SHA512
dcd1c01f14c539832f15ccb38c779b74657a3e34e288da0e439a48c04050da67059053a4be8b0394e7f9d89c721dd070608a8002008bb172273dccfe45a83733

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
80f1959de5bdc258c22eaa7e40f41eb5

SHA1
b16b2108b5348906027e462d4c23819dde4ef7ab

SHA256
5c44116f6f1de53025da0b6ded5a5b0f750f3a17e4daca7bdfa56220027a196f

SHA512
71b966749b16f10478380742e34891e901d139f407a40aab4f4f8377c2b87b23ece59e286593f3b30c481dff94d225804edbd55415174754eba8fb949f0334ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\togiu.exe

Filesize
172KB

MD5
46e679263caf3dd1ca196d2add17d8ce

SHA1
57bb56c424e624822b64cc594985e7fbfc7192d3

SHA256
10b5f7fc73d8c0aa58720fc8617e4aa4914f12f5c4a7d2659ef25feb0b43d13e

SHA512
29c71a81e48737df3814036ab6e04de8cc292a88815300611a3baa83e2c59bf401e178139250b42507e663e60c10b2cbb21827af7aced1d71f61478655706730

Download Submit
memory/984-1-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/984-17-0x0000000000460000-0x00000000004E1000-memory.dmp

Filesize
516KB

Download
memory/984-0-0x0000000000460000-0x00000000004E1000-memory.dmp

Filesize
516KB

Download
memory/2464-40-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/2464-10-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/2464-15-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2464-20-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/3668-36-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/3668-38-0x0000000001170000-0x0000000001172000-memory.dmp

Filesize
8KB

Download
memory/3668-41-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/3668-45-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/3668-46-0x0000000001170000-0x0000000001172000-memory.dmp

Filesize
8KB

Download
memory/3668-47-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/3668-48-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/3668-49-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download
memory/3668-50-0x0000000000B40000-0x0000000000BD9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads