urelas | 553c81d2b260518033d823851b7666fc83bff5cabb65f4a2cc02f5d3057426fb

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a966eb479f68989aa588f414af218189_JC.exe
Size

478KB
MD5

a966eb479f68989aa588f414af218189
SHA1

4281f1152ef582ca5f0875955c9551fbb1b1a3fd
SHA256

553c81d2b260518033d823851b7666fc83bff5cabb65f4a2cc02f5d3057426fb
SHA512

9bbdf8e41493a62072f2212a2acb923308a2ecc314ad0a9d2ae4ad3762d7cda9a391e6394aa1e1ae9310dace3b3363c2f2c0803a209b8fa9c369612ba599e255
SSDEEP

12288:k2PxDgZo3ijniea8Xih9abyNK95ZA9u3y2XWb7:k2SLi7oih9abvceo

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	pioch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	a966eb479f68989aa588f414af218189_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
3416	pioch.exe
4392	xomyf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe
4392	xomyf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3416	4344	a966eb479f68989aa588f414af218189_JC.exe	86
PID 4344 wrote to memory of 3416	4344	a966eb479f68989aa588f414af218189_JC.exe	86
PID 4344 wrote to memory of 3416	4344	a966eb479f68989aa588f414af218189_JC.exe	86
PID 4344 wrote to memory of 4088	4344	a966eb479f68989aa588f414af218189_JC.exe	87
PID 4344 wrote to memory of 4088	4344	a966eb479f68989aa588f414af218189_JC.exe	87
PID 4344 wrote to memory of 4088	4344	a966eb479f68989aa588f414af218189_JC.exe	87
PID 3416 wrote to memory of 4392	3416	pioch.exe	103
PID 3416 wrote to memory of 4392	3416	pioch.exe	103
PID 3416 wrote to memory of 4392	3416	pioch.exe	103

C:\Users\Admin\AppData\Local\Temp\a966eb479f68989aa588f414af218189_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a966eb479f68989aa588f414af218189_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\pioch.exe
  "C:\Users\Admin\AppData\Local\Temp\pioch.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\xomyf.exe
    "C:\Users\Admin\AppData\Local\Temp\xomyf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
30953483ec8f91e8f7bce81282dd76dd

SHA1
086485187200c7f90f2e15a63541f751ed10fc95

SHA256
c412481ada3d30aa2c8eaeba73dd9b23f45967b7ca0b7ad50f3e76c29cf49a07

SHA512
adffffeeb3b28c1235f6f363142299b9556f9f66be1de3787c812e920577ca51a3ac6ff179814dbd8d96a78ac47b38a9c5570204f537810ae83af7d6b764ff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a7acc7210462737be0031b2c9820e975

SHA1
7c2e6ff5bc3cf6c98ef57f5595dbe19d5cf6bba0

SHA256
d68a7113195944eb852499a9dbdf0137dfe6a4e0e7dbc377d65ae460f87e105a

SHA512
ac274b1dbc1bc1f3908fb46eeb0b11c343d0a91ee8c93b14351601cbd361d1ea06154686f906275496c57b581f91bb0ca8674d5d8d8f2402c39412a0162f5dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pioch.exe

Filesize
479KB

MD5
f09550f282bd45a4b1aced517a1329da

SHA1
1b67774f26c35828ff8a396bdb9ab58def436202

SHA256
8e1c451248fd7cedd501538abd7e13f9faefb16b6d107864b3c72e6f26c04018

SHA512
8fa039192c04fd7224e660fd3783f33df363589168642228b14c5c3622be98d4b42b3c4fbd3f1b266b0d5a9655921a7e9646a68bc37b54f89aa73c5559a88e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\pioch.exe

Filesize
479KB

MD5
f09550f282bd45a4b1aced517a1329da

SHA1
1b67774f26c35828ff8a396bdb9ab58def436202

SHA256
8e1c451248fd7cedd501538abd7e13f9faefb16b6d107864b3c72e6f26c04018

SHA512
8fa039192c04fd7224e660fd3783f33df363589168642228b14c5c3622be98d4b42b3c4fbd3f1b266b0d5a9655921a7e9646a68bc37b54f89aa73c5559a88e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\pioch.exe

Filesize
479KB

MD5
f09550f282bd45a4b1aced517a1329da

SHA1
1b67774f26c35828ff8a396bdb9ab58def436202

SHA256
8e1c451248fd7cedd501538abd7e13f9faefb16b6d107864b3c72e6f26c04018

SHA512
8fa039192c04fd7224e660fd3783f33df363589168642228b14c5c3622be98d4b42b3c4fbd3f1b266b0d5a9655921a7e9646a68bc37b54f89aa73c5559a88e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\xomyf.exe

Filesize
200KB

MD5
de04f11956a1653ade7e8033bd54fe6d

SHA1
3cf0c2c1fb487096d94df8fc548fe670e619ccfc

SHA256
d2bb0f3e7b9779091e03de00faac99f588cfb756e86ab30c90a9a7e9ebf220cf

SHA512
6e18eac275d01b52ec5b04c63f22474567e1c82b963f281f5ccc7120b096b728359954adf3d38efb55418110c7a2fab3fb00907ddf48d090124f0562c1b1316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xomyf.exe

Filesize
200KB

MD5
de04f11956a1653ade7e8033bd54fe6d

SHA1
3cf0c2c1fb487096d94df8fc548fe670e619ccfc

SHA256
d2bb0f3e7b9779091e03de00faac99f588cfb756e86ab30c90a9a7e9ebf220cf

SHA512
6e18eac275d01b52ec5b04c63f22474567e1c82b963f281f5ccc7120b096b728359954adf3d38efb55418110c7a2fab3fb00907ddf48d090124f0562c1b1316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xomyf.exe

Filesize
200KB

MD5
de04f11956a1653ade7e8033bd54fe6d

SHA1
3cf0c2c1fb487096d94df8fc548fe670e619ccfc

SHA256
d2bb0f3e7b9779091e03de00faac99f588cfb756e86ab30c90a9a7e9ebf220cf

SHA512
6e18eac275d01b52ec5b04c63f22474567e1c82b963f281f5ccc7120b096b728359954adf3d38efb55418110c7a2fab3fb00907ddf48d090124f0562c1b1316c

Download Submit
memory/3416-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4344-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4392-24-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download
memory/4392-25-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download
memory/4392-27-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download
memory/4392-28-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download
memory/4392-29-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download
memory/4392-30-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download
memory/4392-31-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download
memory/4392-32-0x0000000000540000-0x00000000005F4000-memory.dmp

Filesize
720KB

Download