urelas | fe1234bba5afb9fc0c7f6abb4a45220fed9468da934c26e7217e3bc8c3b8029a

Analysis

max time kernel
138s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adf3aab71c184a8a1ae41811796d0c77_JC.exe
Size

460KB
MD5

adf3aab71c184a8a1ae41811796d0c77
SHA1

d97fb23ebd15b5307327c63e65e8a8fcf1e84106
SHA256

fe1234bba5afb9fc0c7f6abb4a45220fed9468da934c26e7217e3bc8c3b8029a
SHA512

170eccf9835ed72e11e98d2683fd3f448861b9f3053d8132f3e5c1e1abfdabe61675ee71869a639ab823d336a2ce511a59109dbbddb584b9592b48236936959d
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdmp:LMpASIcWYx2U6hAJV/

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	vouxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	cefuuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	adf3aab71c184a8a1ae41811796d0c77_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
4676	vouxo.exe
2064	cefuuw.exe
2824	xediv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5060	2824	WerFault.exe	104

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4676	3180	adf3aab71c184a8a1ae41811796d0c77_JC.exe	83
PID 3180 wrote to memory of 4676	3180	adf3aab71c184a8a1ae41811796d0c77_JC.exe	83
PID 3180 wrote to memory of 4676	3180	adf3aab71c184a8a1ae41811796d0c77_JC.exe	83
PID 3180 wrote to memory of 2648	3180	adf3aab71c184a8a1ae41811796d0c77_JC.exe	84
PID 3180 wrote to memory of 2648	3180	adf3aab71c184a8a1ae41811796d0c77_JC.exe	84
PID 3180 wrote to memory of 2648	3180	adf3aab71c184a8a1ae41811796d0c77_JC.exe	84
PID 4676 wrote to memory of 2064	4676	vouxo.exe	86
PID 4676 wrote to memory of 2064	4676	vouxo.exe	86
PID 4676 wrote to memory of 2064	4676	vouxo.exe	86
PID 2064 wrote to memory of 2824	2064	cefuuw.exe	104
PID 2064 wrote to memory of 2824	2064	cefuuw.exe	104
PID 2064 wrote to memory of 2824	2064	cefuuw.exe	104
PID 2064 wrote to memory of 4044	2064	cefuuw.exe	105
PID 2064 wrote to memory of 4044	2064	cefuuw.exe	105
PID 2064 wrote to memory of 4044	2064	cefuuw.exe	105

C:\Users\Admin\AppData\Local\Temp\adf3aab71c184a8a1ae41811796d0c77_JC.exe
"C:\Users\Admin\AppData\Local\Temp\adf3aab71c184a8a1ae41811796d0c77_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\vouxo.exe
  "C:\Users\Admin\AppData\Local\Temp\vouxo.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\cefuuw.exe
    "C:\Users\Admin\AppData\Local\Temp\cefuuw.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\xediv.exe
      "C:\Users\Admin\AppData\Local\Temp\xediv.exe"
      4⤵
      Executes dropped EXE
      PID:2824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 216
        5⤵
        Program crash
        
        PID:5060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2824 -ip 2824
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
282B

MD5
cc31b078999657d2aaacea7880e3f220

SHA1
977d09e641d13a458985a02d18969aae834fb111

SHA256
6fd5ea02d944d17bb2ed0198f308c96433fa33e0ef9a9edf2b8a71ec621b17ad

SHA512
183a483f0205a3ff008ae3a7e807d95705984f6d063473461ba26623465c4fa44dca20c362779c1e0a628c7d3c54f756ef505924723fd5cc62900fec00bc3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6d61303c3d6e5d519ff8960e018d1aaa

SHA1
4295011d302e3f259d62c249cccd9c1c9ffc5558

SHA256
e60511f84157f112bc29516be2fddd0e8b2df90a29fd594ecbbbc9346534a2f6

SHA512
c09f907b90b71087424d73222faed52713db197793db11d7edbf1b9c771ba2fdaa77fb1ff9eed3bc5f31459ab3c3621402b0b25fdc030fe652035d58510d379f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cefuuw.exe

Filesize
460KB

MD5
bf7a01316726ec75a0fe34e134c35cf0

SHA1
2b18b616108523c1f287388c94fffe6296ce67dd

SHA256
db910a0fa993f1ab349ca5515e4c91da9ec7c9571671dc7f144ea68e38a8c103

SHA512
19e92479becd86252fcf563a326f2947ba65c9d95359501b1868e8ff250c1ab500756e6fdda6b8613d1010b006f6b20bb3ff79b12dccb330f55010466838018f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cefuuw.exe

Filesize
460KB

MD5
bf7a01316726ec75a0fe34e134c35cf0

SHA1
2b18b616108523c1f287388c94fffe6296ce67dd

SHA256
db910a0fa993f1ab349ca5515e4c91da9ec7c9571671dc7f144ea68e38a8c103

SHA512
19e92479becd86252fcf563a326f2947ba65c9d95359501b1868e8ff250c1ab500756e6fdda6b8613d1010b006f6b20bb3ff79b12dccb330f55010466838018f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1d9e44640c3240ab7543eff0cd242636

SHA1
e31842f04d9f125f1ec47a2a8edfb7c4e8504243

SHA256
5265cc4a508e44df2ffbd203eb557aa9cfe9b7a986e02582529d40ba67a7fa15

SHA512
9bd5b3cf3f2cd6880cd12ed906cd474c394e0f7ad3e26bec9351575631c92e12a61af253b4d0c605ed61257206d233c29780667ce2458b4021ff0758cd4f3d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vouxo.exe

Filesize
460KB

MD5
9b457a6afb917a7879673c345200c958

SHA1
13ad5b933e38c968c5cc8d646f1a8441f2f1f95d

SHA256
2052d7290252d75edd16e75ed01abb09aa2ef746d19a67a3f325935503b498a9

SHA512
5821e0d1c2ae8e1f1a9cd0769f484d0b0f4af55bba09241aa4e2b494f73bcc4f193c96185c0451d340c3385d29a326ed6661232a0bb5c1d497e9ca9d3917c2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vouxo.exe

Filesize
460KB

MD5
9b457a6afb917a7879673c345200c958

SHA1
13ad5b933e38c968c5cc8d646f1a8441f2f1f95d

SHA256
2052d7290252d75edd16e75ed01abb09aa2ef746d19a67a3f325935503b498a9

SHA512
5821e0d1c2ae8e1f1a9cd0769f484d0b0f4af55bba09241aa4e2b494f73bcc4f193c96185c0451d340c3385d29a326ed6661232a0bb5c1d497e9ca9d3917c2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vouxo.exe

Filesize
460KB

MD5
9b457a6afb917a7879673c345200c958

SHA1
13ad5b933e38c968c5cc8d646f1a8441f2f1f95d

SHA256
2052d7290252d75edd16e75ed01abb09aa2ef746d19a67a3f325935503b498a9

SHA512
5821e0d1c2ae8e1f1a9cd0769f484d0b0f4af55bba09241aa4e2b494f73bcc4f193c96185c0451d340c3385d29a326ed6661232a0bb5c1d497e9ca9d3917c2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xediv.exe

Filesize
223KB

MD5
f8e10c94fe6e962258fc6c6c688988c0

SHA1
ad3583687d4de81e3863a04b277c94badba49a71

SHA256
726d4b4e187260cb2bcf0839390b2e1d8ec49122c6d0c8dc7defcfc3a1309759

SHA512
a0e8fa20e50f6a81e0546e308ce3efbd67a8344dce55467c1f1a6c81bbe743ef3677607ad7df9b7098643f25cb6be844c724f073c9e1f4aef72cfa9a7212a2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xediv.exe

Filesize
223KB

MD5
f8e10c94fe6e962258fc6c6c688988c0

SHA1
ad3583687d4de81e3863a04b277c94badba49a71

SHA256
726d4b4e187260cb2bcf0839390b2e1d8ec49122c6d0c8dc7defcfc3a1309759

SHA512
a0e8fa20e50f6a81e0546e308ce3efbd67a8344dce55467c1f1a6c81bbe743ef3677607ad7df9b7098643f25cb6be844c724f073c9e1f4aef72cfa9a7212a2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xediv.exe

Filesize
223KB

MD5
f8e10c94fe6e962258fc6c6c688988c0

SHA1
ad3583687d4de81e3863a04b277c94badba49a71

SHA256
726d4b4e187260cb2bcf0839390b2e1d8ec49122c6d0c8dc7defcfc3a1309759

SHA512
a0e8fa20e50f6a81e0546e308ce3efbd67a8344dce55467c1f1a6c81bbe743ef3677607ad7df9b7098643f25cb6be844c724f073c9e1f4aef72cfa9a7212a2e7

Download Submit
memory/2064-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2064-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2824-35-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/3180-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3180-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4676-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4676-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download