urelas | bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c

General

Target

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
Size

404KB
MD5

90f29b38c805fd6cbc409b2da5860a29
SHA1

9a9cfb16e5a37721e35449733a37b995243776cf
SHA256

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c
SHA512

7d1587a658ab4b0c5fa923b11b9d60988b56500f3daf6f127aa2a0cf99f0d572c7eeb066a50b23c2753c91d55cb0b7deea60d01085a46df57d13b173fb9336d5
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroht:8IfBoDWoyFblU6hAJQnO7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exekonoi.exeowwijy.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	konoi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	owwijy.exe

Executes dropped EXE 3 IoCs

Processes:

konoi.exeowwijy.exeequfm.exe

pid	Process
3148	konoi.exe
2560	owwijy.exe
3436	equfm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exebb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exekonoi.execmd.exeowwijy.exeequfm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	konoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	owwijy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	equfm.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

equfm.exe

pid	Process
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe
3436	equfm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exekonoi.exeowwijy.exe

description	pid	Process	procid_target
PID 2816 wrote to memory of 3148	2816	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	83
PID 2816 wrote to memory of 3148	2816	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	83
PID 2816 wrote to memory of 3148	2816	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	83
PID 2816 wrote to memory of 632	2816	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	84
PID 2816 wrote to memory of 632	2816	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	84
PID 2816 wrote to memory of 632	2816	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	84
PID 3148 wrote to memory of 2560	3148	konoi.exe	86
PID 3148 wrote to memory of 2560	3148	konoi.exe	86
PID 3148 wrote to memory of 2560	3148	konoi.exe	86
PID 2560 wrote to memory of 3436	2560	owwijy.exe	105
PID 2560 wrote to memory of 3436	2560	owwijy.exe	105
PID 2560 wrote to memory of 3436	2560	owwijy.exe	105
PID 2560 wrote to memory of 4264	2560	owwijy.exe	106
PID 2560 wrote to memory of 4264	2560	owwijy.exe	106
PID 2560 wrote to memory of 4264	2560	owwijy.exe	106

C:\Users\Admin\AppData\Local\Temp\bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
"C:\Users\Admin\AppData\Local\Temp\bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\konoi.exe
  "C:\Users\Admin\AppData\Local\Temp\konoi.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\owwijy.exe
    "C:\Users\Admin\AppData\Local\Temp\owwijy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\equfm.exe
      "C:\Users\Admin\AppData\Local\Temp\equfm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
587c0ac416cbbebd06173074964ca435

SHA1
2439111659ca9f83aef7b8b12faa793da62be640

SHA256
393838768c0e790f9abe78e55d14f58292f1186089e6f3f8cf86ecea5d7d2071

SHA512
77da016d6908fc22dc195d8908d374d80320e77d14b620ddcb0e338a46bb6d0ac065f7ea1d927584141ea2d8ff9c947d42c003505d4cc0dd5c7ec30d114ff0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
bdf0b0a18c1876afe177e953dc05b427

SHA1
0f1e7495de2d9753162454d71f254001c4e23741

SHA256
feb9daa4dcf404860312c8d35419ec58a0f8e8883eb62f550e88e4993c5a9942

SHA512
4f8ecdf30a470e66dc4ce70b71a5f12bd6d0f6f70564e9e1a1982ad320a4481646b60944e7f9b44e3d75d2c20757222a2d9dedf3bb30153bb07a62803a042f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\equfm.exe

Filesize
223KB

MD5
da32d98b74609d72191335e78b47c8b9

SHA1
dd5176b4bd5ce08bc181309cc3f4d344397ac23e

SHA256
8dc1c5a72d96090e050c124e69479fdbd299442bf8b12540a8ab4ded267008e9

SHA512
d1e312735d09e308afdda2147725c9dc7b83d1cc722564651b2935f0ea0f4935f81ee617b95f56e6d539c7ad6cb23d11213754f7bbb7966d8047ea257e2d9124

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
59d4f92271513a5e0ce7f9693f6c02ab

SHA1
0b81209a26d9fde13e8f62669827baffb4ab5a4e

SHA256
547415c632d20307b5d5b573b1347239cff54ead2a3accd2e04da0f99fa76380

SHA512
2b5e280171273a65dc5bec1aa92790a957dd540bd1b0aaa7cf7ee3c315a4a2a8fef60cee0fabe4c473c223d7d953c4edc79d93d5eee1ee5bb8cf4ca32ed44a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\konoi.exe

Filesize
404KB

MD5
99aee5b5e694caff49d317b454d890a5

SHA1
68ab1149a003d321b70d1ee2c1a9775a5343a9df

SHA256
3d52c309b311c6edf0e6d6242c18fcd7602de9095ad3deb234661bcae2a6e6d5

SHA512
b2854ec114680144e5c5912ffbe88ebba83e8719893d4d5dda39bf763280672e50ce8e24c50393a1308d3540f6cef16c84f6ba4e34ac638f3e2763bc8a83018b

Download Submit
C:\Users\Admin\AppData\Local\Temp\owwijy.exe

Filesize
404KB

MD5
130fbc304e320c05bb2b906b1baff3b5

SHA1
172df44a5b51a4de0fa8288e2ba76cfdc91a2b96

SHA256
1accff35b1866787ca8aa6d9a31c0e073ea4bc1ac61ee60083353814170aae5f

SHA512
fbb2f86ab93b5c1037d8a15861dd7eebdf4877380502b3e449d33b73ad05346e082806e4b91865aa8eab59eaf95376a06f607c17f7115b2e8e72f8e5991b5787

Download Submit
memory/2560-27-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2560-41-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2560-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2816-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2816-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3148-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3148-11-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3436-39-0x0000000000800000-0x00000000008A0000-memory.dmp

Filesize
640KB

Download
memory/3436-43-0x0000000000800000-0x00000000008A0000-memory.dmp

Filesize
640KB

Download
memory/3436-44-0x0000000000800000-0x00000000008A0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads