urelas | 535f2ff8292f1f2d152749caea268970564651bda90794101801691ec8ad5276

Analysis

max time kernel
161s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe
Size

418KB
MD5

05554556b58761e45cfe7e3fbee4dd80
SHA1

f3f8b0f26fb4457db1ae417753cf67ec35c80ec7
SHA256

535f2ff8292f1f2d152749caea268970564651bda90794101801691ec8ad5276
SHA512

b74839a78e05203431b1c3225305627fe8a9015f96d9304b941946bdc72bd63068592a1c1ea06a44747c4bd07f82543ec27fb6756027acb761b348e73e62f673
SSDEEP

6144:XxiqjFBwbGbGQfkOuuGDblGE2OeMfqP3mOa2cBlBPAsE+:XhjQK3f/utLeMfBnBc+

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	umoqr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	liseyj.exe

Executes dropped EXE 3 IoCs

pid	Process
3560	umoqr.exe
2184	liseyj.exe
2056	botyq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe
2056	botyq.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 3560	4924	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	80
PID 4924 wrote to memory of 3560	4924	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	80
PID 4924 wrote to memory of 3560	4924	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	80
PID 4924 wrote to memory of 372	4924	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	81
PID 4924 wrote to memory of 372	4924	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	81
PID 4924 wrote to memory of 372	4924	NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe	81
PID 3560 wrote to memory of 2184	3560	umoqr.exe	83
PID 3560 wrote to memory of 2184	3560	umoqr.exe	83
PID 3560 wrote to memory of 2184	3560	umoqr.exe	83
PID 2184 wrote to memory of 2056	2184	liseyj.exe	93
PID 2184 wrote to memory of 2056	2184	liseyj.exe	93
PID 2184 wrote to memory of 2056	2184	liseyj.exe	93
PID 2184 wrote to memory of 4012	2184	liseyj.exe	94
PID 2184 wrote to memory of 4012	2184	liseyj.exe	94
PID 2184 wrote to memory of 4012	2184	liseyj.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.05554556b58761e45cfe7e3fbee4dd80_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\umoqr.exe
  "C:\Users\Admin\AppData\Local\Temp\umoqr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\liseyj.exe
    "C:\Users\Admin\AppData\Local\Temp\liseyj.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\botyq.exe
      "C:\Users\Admin\AppData\Local\Temp\botyq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e9b68cc09b083788289efe5658016683

SHA1
503083724ad3339911aaea6926624eb0b0c3a036

SHA256
30500d1fcda257cf3882f770df4368e3f36781ec98280dafa727aa003f56dd9f

SHA512
738cc366d8194e4463517b3d16a4d211b24884609ca8cd3c59ecabe77c3b2cbe67d1e7c0a92988deff82242e2f26015a6bb45d8c42676f4c1f35f692b0916a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
2cc4bffbd3b5eb4d84373a1059fa4a65

SHA1
c13e114f2c61bcf7114dc2804cd8b4abade5d236

SHA256
68fab4fa5d521a5fe20bde405e975b19509ca59395a845cfcbe8ee08bee4d5fd

SHA512
4e409b415dd9161fb41903ff88dcf91182d68ed7e62f34f1b269f7d40d88b5d4b7cddb3b924f75b7354080c54099d48f26b962c70d61433a334fdd1cdf91834a

Download Submit
C:\Users\Admin\AppData\Local\Temp\botyq.exe

Filesize
189KB

MD5
872bfd181d0fc656b823e9484e01e749

SHA1
a21684230b45c06d094435ef0d0173ea03e616ba

SHA256
6e262ce0b82f88b8b4655bafcd1121f987c69219f4387f1a4343813eeb1e4c0f

SHA512
8ec5d2cda9bf56248097e39c329be3e6b12d85d10dfd00f98f8163375072c89fe8f1f24c223146b2864ab421241b7fc15386dcef2b41e670128e83fd46c6b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\botyq.exe

Filesize
189KB

MD5
872bfd181d0fc656b823e9484e01e749

SHA1
a21684230b45c06d094435ef0d0173ea03e616ba

SHA256
6e262ce0b82f88b8b4655bafcd1121f987c69219f4387f1a4343813eeb1e4c0f

SHA512
8ec5d2cda9bf56248097e39c329be3e6b12d85d10dfd00f98f8163375072c89fe8f1f24c223146b2864ab421241b7fc15386dcef2b41e670128e83fd46c6b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\botyq.exe

Filesize
189KB

MD5
872bfd181d0fc656b823e9484e01e749

SHA1
a21684230b45c06d094435ef0d0173ea03e616ba

SHA256
6e262ce0b82f88b8b4655bafcd1121f987c69219f4387f1a4343813eeb1e4c0f

SHA512
8ec5d2cda9bf56248097e39c329be3e6b12d85d10dfd00f98f8163375072c89fe8f1f24c223146b2864ab421241b7fc15386dcef2b41e670128e83fd46c6b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cc68933f92a1e4c4e914bc78434dfc6d

SHA1
2c105450bfc31ca07e402bed021813a7c1e0c7a3

SHA256
de636207c60e1ebbbb1a6f86635e8b1ee835b61fe6e7c4f265cf7226c0699289

SHA512
abb72ba4fa2b0234a1e4e0e1d9db9e084457a919354e5fb4371abe6d09fca1f9ac0a74a0a6e935befbd5afbba79a18750ec52511f95f20d11c472750a960b160

Download Submit
C:\Users\Admin\AppData\Local\Temp\liseyj.exe

Filesize
418KB

MD5
49f04b0b4855db757d92fb70cfd6d065

SHA1
b02c7a58f6f76da84b8bcccb83ae5e41d26a2596

SHA256
86fbeb97ff2cf0a2cfe30ca66c24abd2a65a05fff1fd75eb9b1294c488e13cf9

SHA512
8b0c4f9976cc443a1c0f8517b7b825e1b0913f967548c45951d5fd0a06055a347b8a7f67944181f6379f42857a453f4c434e9f8cfbe02e0627394c0e1f824dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\liseyj.exe

Filesize
418KB

MD5
49f04b0b4855db757d92fb70cfd6d065

SHA1
b02c7a58f6f76da84b8bcccb83ae5e41d26a2596

SHA256
86fbeb97ff2cf0a2cfe30ca66c24abd2a65a05fff1fd75eb9b1294c488e13cf9

SHA512
8b0c4f9976cc443a1c0f8517b7b825e1b0913f967548c45951d5fd0a06055a347b8a7f67944181f6379f42857a453f4c434e9f8cfbe02e0627394c0e1f824dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\umoqr.exe

Filesize
418KB

MD5
49f04b0b4855db757d92fb70cfd6d065

SHA1
b02c7a58f6f76da84b8bcccb83ae5e41d26a2596

SHA256
86fbeb97ff2cf0a2cfe30ca66c24abd2a65a05fff1fd75eb9b1294c488e13cf9

SHA512
8b0c4f9976cc443a1c0f8517b7b825e1b0913f967548c45951d5fd0a06055a347b8a7f67944181f6379f42857a453f4c434e9f8cfbe02e0627394c0e1f824dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\umoqr.exe

Filesize
418KB

MD5
49f04b0b4855db757d92fb70cfd6d065

SHA1
b02c7a58f6f76da84b8bcccb83ae5e41d26a2596

SHA256
86fbeb97ff2cf0a2cfe30ca66c24abd2a65a05fff1fd75eb9b1294c488e13cf9

SHA512
8b0c4f9976cc443a1c0f8517b7b825e1b0913f967548c45951d5fd0a06055a347b8a7f67944181f6379f42857a453f4c434e9f8cfbe02e0627394c0e1f824dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\umoqr.exe

Filesize
418KB

MD5
49f04b0b4855db757d92fb70cfd6d065

SHA1
b02c7a58f6f76da84b8bcccb83ae5e41d26a2596

SHA256
86fbeb97ff2cf0a2cfe30ca66c24abd2a65a05fff1fd75eb9b1294c488e13cf9

SHA512
8b0c4f9976cc443a1c0f8517b7b825e1b0913f967548c45951d5fd0a06055a347b8a7f67944181f6379f42857a453f4c434e9f8cfbe02e0627394c0e1f824dd2

Download Submit
memory/2056-44-0x0000000000FB0000-0x000000000104B000-memory.dmp

Filesize
620KB

Download
memory/2056-43-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2056-45-0x0000000000FB0000-0x000000000104B000-memory.dmp

Filesize
620KB

Download
memory/2056-37-0x0000000000FB0000-0x000000000104B000-memory.dmp

Filesize
620KB

Download
memory/2056-42-0x0000000000FB0000-0x000000000104B000-memory.dmp

Filesize
620KB

Download
memory/2056-39-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2184-40-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2184-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3560-23-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4924-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4924-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download