urelas | 07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca

General

Target

07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
Size

330KB
MD5

0287a47c2cd95341f1ab1b29438eac59
SHA1

228e48db10142555d09e612015cc860603df4aed
SHA256

07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca
SHA512

c3e45428955053a8529237f908b711cc2ece3487f284ea92824036ce1080f2071447829040dfae389e6ccf15deddf220ba92998ec60ad95370c33562c567dbdb
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOF+:vHW138/iXWlK885rKlGSekcj66ciq+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tofoz.exe07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	tofoz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe

Executes dropped EXE 2 IoCs

Processes:

tofoz.exeefmat.exe

pid process

1524 tofoz.exe
4532 efmat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1524	tofoz.exe
4532	efmat.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tofoz.execmd.exeefmat.exe07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tofoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efmat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

efmat.exe

pid	process
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe
4532	efmat.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exetofoz.exe

description	pid	process	target process
PID 4488 wrote to memory of 1524	4488	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	tofoz.exe
PID 4488 wrote to memory of 1524	4488	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	tofoz.exe
PID 4488 wrote to memory of 1524	4488	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	tofoz.exe
PID 4488 wrote to memory of 1268	4488	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	cmd.exe
PID 4488 wrote to memory of 1268	4488	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	cmd.exe
PID 4488 wrote to memory of 1268	4488	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	cmd.exe
PID 1524 wrote to memory of 4532	1524	tofoz.exe	efmat.exe
PID 1524 wrote to memory of 4532	1524	tofoz.exe	efmat.exe
PID 1524 wrote to memory of 4532	1524	tofoz.exe	efmat.exe

C:\Users\Admin\AppData\Local\Temp\07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
"C:\Users\Admin\AppData\Local\Temp\07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\tofoz.exe
  "C:\Users\Admin\AppData\Local\Temp\tofoz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\efmat.exe
    "C:\Users\Admin\AppData\Local\Temp\efmat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
771fa4d03ae459e185d1571c142745bd

SHA1
b767e9597db7cf75b4d012762fbd9f53d99bf862

SHA256
417291890d62c7ae0804026988b90379fdc1c5d05c8d04bafe89a2b32dfd4c30

SHA512
3865ff0477f1d8679fa0e71ae76ff31a9512e23b10513bd0cc58bb58d81d60a1c1c35c26aa68673a74b0fd76052fdf797935bfd30f8f9590a83adc82e42f475c

Download Submit
C:\Users\Admin\AppData\Local\Temp\efmat.exe

Filesize
172KB

MD5
70846f93721cb41f161149e288d1a23f

SHA1
e35fb443be869966a6535cc25a0cfc2a71b16094

SHA256
8ef6d849d4b1d6b75c8f8b2c26dc284dc27f6a2d304f9e57639b101567af3698

SHA512
627f76e92ccb94b5832b67423e8cbd7e3347175fd829258d6ce5f846780a3bbdd13d5680f7ea1a75f1ac99a14cb28f47c5dfd54ab25769dc2996e82b4eb5ffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2b7e8118bf4296ac4d6eb1e59098fb78

SHA1
f3ee9384a33cc8e0a26bd666e9db99f6e7d7abc6

SHA256
6b2f1cf4ced223327f0851452b3fb313955ae0bb98581d1fec1de23352d308fa

SHA512
5ec60e33907d11f09b4e84667ed0472fd7e94247bbf87d2e25777b33563c3816a547407f02fd5e8a00e5c71a418b33749bb1c627d862bdf4fb5c7b8eeb947b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tofoz.exe

Filesize
330KB

MD5
1dce5035296e88d8be0e6bd61bf2e450

SHA1
fabc74d510ae0d21d3ef6306a697d9cd2fa0beaf

SHA256
8603760dbb41af673de415debb7e2a538c9201f3e5f2b9de5c3fde5f57a23e05

SHA512
1f0305b3e752e953d0bf07560395ed238fbaa561de843cd669c1f2d8ede0480e013f314522e51d7d1ced53d50f3da6e54be55fee29ea4c95358d2a3836576b97

Download Submit
memory/1524-39-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/1524-14-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1524-13-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/1524-20-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/4488-1-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4488-17-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/4488-0-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/4532-37-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/4532-40-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/4532-41-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/4532-46-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/4532-45-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/4532-47-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/4532-48-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/4532-49-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/4532-50-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads