urelas | b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d

General

Target

b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
Size

689KB
MD5

882afb62ea28195617963f64df97091f
SHA1

c2c0b5729bd376f925b5e3a26298e6ffe48d3686
SHA256

b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d
SHA512

34f47a3f4f1899a8d69cf4961d81fabde06dae6e8257c2028cf9e59faf254d009245e311299818364c03673ea52aa321711d8759e4ffccd0b86d51ad7d918102
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nh:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnh

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exeatbun.exerenimu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	atbun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	renimu.exe

Executes dropped EXE 3 IoCs

Processes:

atbun.exerenimu.exekeryd.exe

pid process

2196 atbun.exe
4676 renimu.exe
3020 keryd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2196	atbun.exe
4676	renimu.exe
3020	keryd.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

atbun.execmd.exerenimu.exekeryd.execmd.exeb9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atbun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	renimu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keryd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

keryd.exe

pid	process
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe
3020	keryd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exeatbun.exerenimu.exe

description	pid	process	target process
PID 1724 wrote to memory of 2196	1724	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	atbun.exe
PID 1724 wrote to memory of 2196	1724	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	atbun.exe
PID 1724 wrote to memory of 2196	1724	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	atbun.exe
PID 1724 wrote to memory of 3624	1724	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	cmd.exe
PID 1724 wrote to memory of 3624	1724	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	cmd.exe
PID 1724 wrote to memory of 3624	1724	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	cmd.exe
PID 2196 wrote to memory of 4676	2196	atbun.exe	renimu.exe
PID 2196 wrote to memory of 4676	2196	atbun.exe	renimu.exe
PID 2196 wrote to memory of 4676	2196	atbun.exe	renimu.exe
PID 4676 wrote to memory of 3020	4676	renimu.exe	keryd.exe
PID 4676 wrote to memory of 3020	4676	renimu.exe	keryd.exe
PID 4676 wrote to memory of 3020	4676	renimu.exe	keryd.exe
PID 4676 wrote to memory of 1648	4676	renimu.exe	cmd.exe
PID 4676 wrote to memory of 1648	4676	renimu.exe	cmd.exe
PID 4676 wrote to memory of 1648	4676	renimu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
"C:\Users\Admin\AppData\Local\Temp\b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\atbun.exe
  "C:\Users\Admin\AppData\Local\Temp\atbun.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\renimu.exe
    "C:\Users\Admin\AppData\Local\Temp\renimu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\keryd.exe
      "C:\Users\Admin\AppData\Local\Temp\keryd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f50d22079a3ed426c4713db705e0a191

SHA1
169e4bb7ace25ce52a628f3add7bbfa455424f01

SHA256
c4432ccbb8a3eace2dbaafd494d76e7b5c0def2a089ad957078639ce96947139

SHA512
82440035404fec6ea6010190c6fe184baf2707cd4b1d14a4e3a317b113caef6e16834e7e4a611a7fa984b418edf879edb70a790c19369e75af815ada50d34f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a404cd1e1c5dc4ff7980e95c6ac4fe61

SHA1
885c830c5d069378821c20259ec2f17d31b2d008

SHA256
e04933a8812a003e5d05600fb06d6f071a7e5af5415507c519d3fc5407d096b0

SHA512
64cceb358122187e637508190004eb64c6572fb71c749495c389e4dbaec996525adf8030407d848e32d5545aa49a940e0f48518931c080679776309c75aca944

Download Submit
C:\Users\Admin\AppData\Local\Temp\atbun.exe

Filesize
690KB

MD5
73f65d8e7b2f2c4e0182172404b5a846

SHA1
747a7a7e9aa70df1628d7ea10e19f60e4ae90811

SHA256
98ee7bb4c4221c3d21b3b06a307c2611e21f5769ac238f396279bba266fa904b

SHA512
02cf87ead212f9c86e76e40c4a73ca72ff557d54a83f282a980b32f39ed470d69a7b440aa2d485b32459d3fae957f33ecc5b952f2336823fee30c9dc2850759a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1b8d0753f58153d1a32abe37c47e1767

SHA1
540b126ab3ccd69ad521617b725352a295056669

SHA256
fd3b5ae2756b4b3e38edce4afb977e214766c17b332bb343a426681b1f1336e9

SHA512
d0fe4545cda9d1b7c05fb2276522e90823ca0ec841fbe605ae178755bf89897f4ecaaa842f14fc93b17d219845976b0337e8d88b118b3e4dc386b8a5c1d1ae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\keryd.exe

Filesize
469KB

MD5
990079a505841f59ac8dca4c5922d7c6

SHA1
c1724be80742d6995b15a7b52385a00a1e00c864

SHA256
75e948baf633783d02bc4378960de8285ad6847106e029b74ab54762ac55c3e3

SHA512
236824a539e1dc6f9f0ec5943a5f33ce7b7266ca78574e5453c48d0c6c92fe5e01e6171da27d9b82ab17f8d33707096e10d0c3b4bb6520d0c2f00131106210a2

Download Submit
memory/1724-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1724-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2196-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3020-37-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3020-42-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4676-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4676-39-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads