urelas | ebf29eb86fafb581ec88eae24fbd48df9bd3920b7dada2d161fdc8999a3480ad

Resubmissions

09/10/2023, 17:00

231009-vjbjxseg7s 10

09/10/2023, 16:54

231009-ve2wbagh57 10

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 16:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe
Size

319KB
MD5

cff80c5ce109c8663546546b9d2a5154
SHA1

6170060d8a6b71674c63b69c1b0ea6e9461733c2
SHA256

ebf29eb86fafb581ec88eae24fbd48df9bd3920b7dada2d161fdc8999a3480ad
SHA512

2886828d1a8ebea772be8503b2a5969b82394ea8614056f2be0b0089ea5da670c709933ce5e9518d5fdb9a18ea49cfb3273b57cc324c5bd46f5d00fd80fb8bb5
SSDEEP

6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpz:PkXpd6jqiOIHZAK

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	bizuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	siawaz.exe

Executes dropped EXE 3 IoCs

pid	Process
2896	bizuq.exe
3744	siawaz.exe
2088	bopol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe
2088	bopol.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 2896	636	NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe	86
PID 636 wrote to memory of 2896	636	NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe	86
PID 636 wrote to memory of 2896	636	NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe	86
PID 636 wrote to memory of 1788	636	NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe	87
PID 636 wrote to memory of 1788	636	NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe	87
PID 636 wrote to memory of 1788	636	NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe	87
PID 2896 wrote to memory of 3744	2896	bizuq.exe	89
PID 2896 wrote to memory of 3744	2896	bizuq.exe	89
PID 2896 wrote to memory of 3744	2896	bizuq.exe	89
PID 3744 wrote to memory of 2088	3744	siawaz.exe	107
PID 3744 wrote to memory of 2088	3744	siawaz.exe	107
PID 3744 wrote to memory of 2088	3744	siawaz.exe	107
PID 3744 wrote to memory of 3628	3744	siawaz.exe	108
PID 3744 wrote to memory of 3628	3744	siawaz.exe	108
PID 3744 wrote to memory of 3628	3744	siawaz.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cff80c5ce109c8663546546b9d2a5154_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\bizuq.exe
  "C:\Users\Admin\AppData\Local\Temp\bizuq.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\siawaz.exe
    "C:\Users\Admin\AppData\Local\Temp\siawaz.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\bopol.exe
      "C:\Users\Admin\AppData\Local\Temp\bopol.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
cd2382f2f5573ab11c52a95838daea0d

SHA1
f76f8bda435b3b0d99997629a6e34ca478b0fe08

SHA256
ef6b5068dc892bbae2cf4d599b4f7d0393a24b0c4cb9b1e7bbf65d33777a6008

SHA512
14f3e00755fcdd9416cf613c35929aa2bd25a2f188144c1ac1929aad89770f1075404fcf4b0e3d556011da5a5cc99da01275b113882bc67279ae84a666dc2534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7c42b5f79f499a31a0293123b56ed0fa

SHA1
e5fe8b6ca4b0c3af2adcd55692fd71ea26e09056

SHA256
b95a63e79487e2172a68b1b8e80a9fa0c65f9ce89784e9ceec9a41b292c64eb4

SHA512
f7eebab854d2b7db2b05c2bd6e884573b3cc7f3f955d205bd21c661b08c4636b998d3fd37d15b10b769e41023b5f91de7de78b78551272ad96c65c1fe4fa0e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\bizuq.exe

Filesize
319KB

MD5
e6c31708c7b569acadd90b2820a0bc23

SHA1
bbcdf0f155fc8baa41a787de3ec67df8b826a2f9

SHA256
fc54bbf2b43f6c75094df22fd6de37bd86319182bc8d11919501676e22ace694

SHA512
c30a6f5fadf725d5186a9924e20096ad40c47e1147a77929a9677f5a8088f964b58bc62eaf5995c71b27737c25928d33bc0a405f2f81c9523f36c04cb86729bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bizuq.exe

Filesize
319KB

MD5
e6c31708c7b569acadd90b2820a0bc23

SHA1
bbcdf0f155fc8baa41a787de3ec67df8b826a2f9

SHA256
fc54bbf2b43f6c75094df22fd6de37bd86319182bc8d11919501676e22ace694

SHA512
c30a6f5fadf725d5186a9924e20096ad40c47e1147a77929a9677f5a8088f964b58bc62eaf5995c71b27737c25928d33bc0a405f2f81c9523f36c04cb86729bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bizuq.exe

Filesize
319KB

MD5
e6c31708c7b569acadd90b2820a0bc23

SHA1
bbcdf0f155fc8baa41a787de3ec67df8b826a2f9

SHA256
fc54bbf2b43f6c75094df22fd6de37bd86319182bc8d11919501676e22ace694

SHA512
c30a6f5fadf725d5186a9924e20096ad40c47e1147a77929a9677f5a8088f964b58bc62eaf5995c71b27737c25928d33bc0a405f2f81c9523f36c04cb86729bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bopol.exe

Filesize
223KB

MD5
b5e1733fc9cb324d2c8f6b14e7d9ba6f

SHA1
8128bc2b5f560259156eac892fea6e57fed6e39a

SHA256
373d1e814ea57c6f9bb5b3c6cd3901e2b64d9c2fdfde1de36ac2f6757de26a7e

SHA512
b5f75ba65d969f89d395cb71f2a26753521d339bcb78a5a7b2305a2e3dbd2acd5e9c5c7ae63b99d4d76bc1e11a6d5999f1cb0c2f2e5c06dc7a7d8596174c11ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\bopol.exe

Filesize
223KB

MD5
b5e1733fc9cb324d2c8f6b14e7d9ba6f

SHA1
8128bc2b5f560259156eac892fea6e57fed6e39a

SHA256
373d1e814ea57c6f9bb5b3c6cd3901e2b64d9c2fdfde1de36ac2f6757de26a7e

SHA512
b5f75ba65d969f89d395cb71f2a26753521d339bcb78a5a7b2305a2e3dbd2acd5e9c5c7ae63b99d4d76bc1e11a6d5999f1cb0c2f2e5c06dc7a7d8596174c11ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\bopol.exe

Filesize
223KB

MD5
b5e1733fc9cb324d2c8f6b14e7d9ba6f

SHA1
8128bc2b5f560259156eac892fea6e57fed6e39a

SHA256
373d1e814ea57c6f9bb5b3c6cd3901e2b64d9c2fdfde1de36ac2f6757de26a7e

SHA512
b5f75ba65d969f89d395cb71f2a26753521d339bcb78a5a7b2305a2e3dbd2acd5e9c5c7ae63b99d4d76bc1e11a6d5999f1cb0c2f2e5c06dc7a7d8596174c11ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f21b17d430483ac90d0bd9a1c2aa3aaa

SHA1
a2f0c553a632524f80fe65a435b2e6be10200840

SHA256
9b4a22ce93651833d49b9276000f1d600afef57290ab1c6ae4149cc564df4ba7

SHA512
e52c6bbff602f36479a46caf5537a1a3fb67ed0672729d9dff4ce4b383cc36b4916ec33e684513ecddb86c9ff106bd4565b296f4a1a8fd5d46eb1c206f3b7822

Download Submit
C:\Users\Admin\AppData\Local\Temp\siawaz.exe

Filesize
319KB

MD5
721a92ec7d3b87ce7bb405b977e8048a

SHA1
34e82567d19214c4647f2b60a8f42340c357bca8

SHA256
52bf7c462cbcddef4bbaae4693a0695a97701592e3d3494decdd734ab183ec63

SHA512
fd19fbbdb29267a79335b7e4c5ecfdaeb0021363122b5f60341c8c81e6d610149d68f0e40e4b3229813b4dff1d0ac406b13482fb7ae4c6404a748250c5a34134

Download Submit
C:\Users\Admin\AppData\Local\Temp\siawaz.exe

Filesize
319KB

MD5
721a92ec7d3b87ce7bb405b977e8048a

SHA1
34e82567d19214c4647f2b60a8f42340c357bca8

SHA256
52bf7c462cbcddef4bbaae4693a0695a97701592e3d3494decdd734ab183ec63

SHA512
fd19fbbdb29267a79335b7e4c5ecfdaeb0021363122b5f60341c8c81e6d610149d68f0e40e4b3229813b4dff1d0ac406b13482fb7ae4c6404a748250c5a34134

Download Submit
memory/636-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/636-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/636-1-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/636-20-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/636-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/636-4-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2088-55-0x00000000000F0000-0x0000000000190000-memory.dmp

Filesize
640KB

Download
memory/2088-53-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2088-44-0x00000000000F0000-0x0000000000190000-memory.dmp

Filesize
640KB

Download
memory/2088-48-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2088-54-0x00000000000F0000-0x0000000000190000-memory.dmp

Filesize
640KB

Download
memory/2088-56-0x00000000000F0000-0x0000000000190000-memory.dmp

Filesize
640KB

Download
memory/2088-57-0x00000000000F0000-0x0000000000190000-memory.dmp

Filesize
640KB

Download
memory/2088-52-0x00000000000F0000-0x0000000000190000-memory.dmp

Filesize
640KB

Download
memory/2896-18-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2896-30-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3744-34-0x0000000001F80000-0x0000000001FC3000-memory.dmp

Filesize
268KB

Download
memory/3744-49-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3744-35-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3744-32-0x0000000001F80000-0x0000000001FC3000-memory.dmp

Filesize
268KB

Download
memory/3744-33-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download