urelas | 6a0cb915a305440c4c85830c53a10e106dddc94fc36c317ca7d682814ae399d6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9207d62c7e2a8578f4f34d3322a05d84_JC.exe
Size

315KB
MD5

9207d62c7e2a8578f4f34d3322a05d84
SHA1

61ae5264a1bdecbf0183503c7003c0fc6081cf3c
SHA256

6a0cb915a305440c4c85830c53a10e106dddc94fc36c317ca7d682814ae399d6
SHA512

91df21974e94104c1239dc794f4c9bf42c2ffaa0c1e84d4d6221abb9910dc7bddd8f7bb3bd5654b2fb694c045205844d071c64d2791eb208feec435b87fce065
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+Xh:vHW138/iXWlK885rKlGSekcj66cih

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	9207d62c7e2a8578f4f34d3322a05d84_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	fowok.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	fowok.exe
1468	ojuqj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe
1468	ojuqj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2860	3024	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	83
PID 3024 wrote to memory of 2860	3024	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	83
PID 3024 wrote to memory of 2860	3024	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	83
PID 3024 wrote to memory of 4900	3024	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	84
PID 3024 wrote to memory of 4900	3024	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	84
PID 3024 wrote to memory of 4900	3024	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	84
PID 2860 wrote to memory of 1468	2860	fowok.exe	95
PID 2860 wrote to memory of 1468	2860	fowok.exe	95
PID 2860 wrote to memory of 1468	2860	fowok.exe	95

C:\Users\Admin\AppData\Local\Temp\9207d62c7e2a8578f4f34d3322a05d84_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9207d62c7e2a8578f4f34d3322a05d84_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\fowok.exe
  "C:\Users\Admin\AppData\Local\Temp\fowok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\ojuqj.exe
    "C:\Users\Admin\AppData\Local\Temp\ojuqj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
4f7b4bb52943640bc703f35035b1e215

SHA1
2fb618d9e165c33ac2dfcfbba46dbcfae2149551

SHA256
fb4535d9be207eae08fb992c872f8822421ee44558f37f863944bbb680c00720

SHA512
0529e2ccff52768c0bb6a766bb87b79df91b30c1e607b561c1e7d5b5e6609ed8c8d8bd44b42ca4f54db605fc3d1ab5e469fa99cfadb1fc9bdb5b3f435b62f174

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowok.exe

Filesize
315KB

MD5
3fd967c31555ed2fb98e20135ae989be

SHA1
6aaea5d0b9dfb3d4e76bcc17859329ca103f8a56

SHA256
efa46a86c15913155be9da2c682bf7bc4143b39c026afc796350c3cbccc08407

SHA512
3fa24decb36071f9a40c31e9427edc2cb58923972a46704bf54c99b94db417ad900f9a66f0bcf6a66625eb1602be33fcc3b21afff8297b2b00f47ca128304782

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowok.exe

Filesize
315KB

MD5
3fd967c31555ed2fb98e20135ae989be

SHA1
6aaea5d0b9dfb3d4e76bcc17859329ca103f8a56

SHA256
efa46a86c15913155be9da2c682bf7bc4143b39c026afc796350c3cbccc08407

SHA512
3fa24decb36071f9a40c31e9427edc2cb58923972a46704bf54c99b94db417ad900f9a66f0bcf6a66625eb1602be33fcc3b21afff8297b2b00f47ca128304782

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowok.exe

Filesize
315KB

MD5
3fd967c31555ed2fb98e20135ae989be

SHA1
6aaea5d0b9dfb3d4e76bcc17859329ca103f8a56

SHA256
efa46a86c15913155be9da2c682bf7bc4143b39c026afc796350c3cbccc08407

SHA512
3fa24decb36071f9a40c31e9427edc2cb58923972a46704bf54c99b94db417ad900f9a66f0bcf6a66625eb1602be33fcc3b21afff8297b2b00f47ca128304782

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f2b912fea27c923ab3fb8e868a5b66b1

SHA1
899711bce39629d1167f25533314d3f1e11503ea

SHA256
4936c1308fa3db4898df04e4a3bdb55be61ca35fc63d89fdbd627ea548f9a7a1

SHA512
1afc902205949b1bb8955beb1f89ea1054f182b40d4498b27fdbab9d6c3bed02470f1dd068542684c26fa6df1c9624a827368c4a42bee572b44593fa5d05434b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojuqj.exe

Filesize
172KB

MD5
6a5206024747eead55485e7c46e3710a

SHA1
b1dc055c079a9192a309e7af782b3d1efff21555

SHA256
fe636b986e8108ace944301dedca869a6adc8ea15f6ec12bf17b8bfc8077a13e

SHA512
1fc95e253cd51dd47bd852f0800d140b35c07881e9d24835c8b0784af51f170bc541bbdf3c713a1887d1edd4e9a58d46f332b2f6533e2a76ab9d851b2b3a4b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojuqj.exe

Filesize
172KB

MD5
6a5206024747eead55485e7c46e3710a

SHA1
b1dc055c079a9192a309e7af782b3d1efff21555

SHA256
fe636b986e8108ace944301dedca869a6adc8ea15f6ec12bf17b8bfc8077a13e

SHA512
1fc95e253cd51dd47bd852f0800d140b35c07881e9d24835c8b0784af51f170bc541bbdf3c713a1887d1edd4e9a58d46f332b2f6533e2a76ab9d851b2b3a4b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojuqj.exe

Filesize
172KB

MD5
6a5206024747eead55485e7c46e3710a

SHA1
b1dc055c079a9192a309e7af782b3d1efff21555

SHA256
fe636b986e8108ace944301dedca869a6adc8ea15f6ec12bf17b8bfc8077a13e

SHA512
1fc95e253cd51dd47bd852f0800d140b35c07881e9d24835c8b0784af51f170bc541bbdf3c713a1887d1edd4e9a58d46f332b2f6533e2a76ab9d851b2b3a4b96

Download Submit
memory/1468-45-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/1468-44-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/1468-38-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/1468-43-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/1468-46-0x0000000000320000-0x00000000003B9000-memory.dmp

Filesize
612KB

Download
memory/1468-40-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/2860-14-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2860-19-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2860-35-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2860-13-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/3024-16-0x0000000000530000-0x00000000005B1000-memory.dmp

Filesize
516KB

Download
memory/3024-0-0x0000000000530000-0x00000000005B1000-memory.dmp

Filesize
516KB

Download
memory/3024-1-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download