urelas | f5d7dda7214f743ef8334ce0aa6bc65389e5ce9f8df57fbca2cc22d1e5bdf675

Analysis

max time kernel
159s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9d317753025927f8c2b746d3e7c16e70.exe
Size

423KB
MD5

9d317753025927f8c2b746d3e7c16e70
SHA1

b579698a685bae9c827a802607a9a12703d2df07
SHA256

f5d7dda7214f743ef8334ce0aa6bc65389e5ce9f8df57fbca2cc22d1e5bdf675
SHA512

d589a55f9e693e40ca46fa6452fe3b8b2fbc070b5de23b57a22d6c738433da35e13939c578d7747397efa2dac2da7ab8597d5d360a43917a723b6f43614dcb35
SSDEEP

12288:L3UxAjzesuBZtpy5KPADlOxnfWVUHGpm2CjDX7BC:L3UiqswtpyhOxuGHGpmXQ

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.9d317753025927f8c2b746d3e7c16e70.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	qyxoh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	lezusi.exe

Executes dropped EXE 3 IoCs

pid	Process
1060	qyxoh.exe
4756	lezusi.exe
1288	atxya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe
1288	atxya.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1060	1940	NEAS.9d317753025927f8c2b746d3e7c16e70.exe	88
PID 1940 wrote to memory of 1060	1940	NEAS.9d317753025927f8c2b746d3e7c16e70.exe	88
PID 1940 wrote to memory of 1060	1940	NEAS.9d317753025927f8c2b746d3e7c16e70.exe	88
PID 1940 wrote to memory of 3728	1940	NEAS.9d317753025927f8c2b746d3e7c16e70.exe	89
PID 1940 wrote to memory of 3728	1940	NEAS.9d317753025927f8c2b746d3e7c16e70.exe	89
PID 1940 wrote to memory of 3728	1940	NEAS.9d317753025927f8c2b746d3e7c16e70.exe	89
PID 1060 wrote to memory of 4756	1060	qyxoh.exe	93
PID 1060 wrote to memory of 4756	1060	qyxoh.exe	93
PID 1060 wrote to memory of 4756	1060	qyxoh.exe	93
PID 4756 wrote to memory of 1288	4756	lezusi.exe	105
PID 4756 wrote to memory of 1288	4756	lezusi.exe	105
PID 4756 wrote to memory of 1288	4756	lezusi.exe	105
PID 4756 wrote to memory of 3928	4756	lezusi.exe	106
PID 4756 wrote to memory of 3928	4756	lezusi.exe	106
PID 4756 wrote to memory of 3928	4756	lezusi.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.9d317753025927f8c2b746d3e7c16e70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9d317753025927f8c2b746d3e7c16e70.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\qyxoh.exe
  "C:\Users\Admin\AppData\Local\Temp\qyxoh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\lezusi.exe
    "C:\Users\Admin\AppData\Local\Temp\lezusi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\atxya.exe
      "C:\Users\Admin\AppData\Local\Temp\atxya.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
ffb8805ae2169782fc305d45c10f00b0

SHA1
472541b392873def2cf83af01b62fcac66d4c725

SHA256
955a54e1aea95efacd12a56e60c5db0b7bda82f3ff3e01e7839cf49cc2ca352d

SHA512
88aa5fdf4e61564e16847a69355b11ecbd8ebedff89a83cb3d5f09b1c7886d73e0b2d480145079b76ccce062b476dd2ec078482349e87e2af3763630bcbd7fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f0f351427d53c0ccf6a9203bd9b6b4b4

SHA1
dbc64f521079437032bf21b51b57e6d123b6df19

SHA256
c360ff79af8860bd7018933d519de732bde600c1a6114d5b7405c7b1c2a32a93

SHA512
5110cade2f0778f04af1edebb841de5f1e44f927013e3c6a9b2a43b3de66e4e7c2e99ff662da665ae542d6dc1c222e8610850cdbd2a860ccc9358658de53c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\atxya.exe

Filesize
360KB

MD5
b900b03f85dc19efdc8e506bfe0a0fd7

SHA1
cd459b059f99a9c756972cd37f8433a184387edb

SHA256
127ad9cf88cf7a45d8be297880563b3be1dcd1b43cd210f9f3cff97d2e7d8a54

SHA512
ced898f9f5fba4f2c9cb6ed67b8263c5daa0207cbc8c58d644440646ed5b6f17e9d6be5383830f9ffb22b55c8ba4544ad418b0b36938bcc8f73894bf81c10dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\atxya.exe

Filesize
360KB

MD5
b900b03f85dc19efdc8e506bfe0a0fd7

SHA1
cd459b059f99a9c756972cd37f8433a184387edb

SHA256
127ad9cf88cf7a45d8be297880563b3be1dcd1b43cd210f9f3cff97d2e7d8a54

SHA512
ced898f9f5fba4f2c9cb6ed67b8263c5daa0207cbc8c58d644440646ed5b6f17e9d6be5383830f9ffb22b55c8ba4544ad418b0b36938bcc8f73894bf81c10dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\atxya.exe

Filesize
360KB

MD5
b900b03f85dc19efdc8e506bfe0a0fd7

SHA1
cd459b059f99a9c756972cd37f8433a184387edb

SHA256
127ad9cf88cf7a45d8be297880563b3be1dcd1b43cd210f9f3cff97d2e7d8a54

SHA512
ced898f9f5fba4f2c9cb6ed67b8263c5daa0207cbc8c58d644440646ed5b6f17e9d6be5383830f9ffb22b55c8ba4544ad418b0b36938bcc8f73894bf81c10dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9e8155853b2ae902cc3982856b7be6a6

SHA1
085775efe4b9b36d539bd5507bdc43bdd1237ae4

SHA256
4c6abde2381f2dc78d0aee21120137c7b179d126930a19ac1b32a4c797672e81

SHA512
046ba4d4f11e8994f6d9bbc6c80a121ce8dd4b8d5b91c60135f8011c02b78ddc60118ccfc742affbdd4df2eec05bf0c3f21bcff514a4b42f45a2c24b64ffdae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lezusi.exe

Filesize
423KB

MD5
b4961c59d60781e97f40e2efcd19caa8

SHA1
d5a85d8e39862d0be974a8bfe97a0401c4380d44

SHA256
6c3230007b545b3d026e21164c0d5befd67ae58bbb11308b93544c6b7cb0e86d

SHA512
3e51f4218bb7295bb4becd5b9e1ba4b10a483f33ec0435223e9154778ee753a9ba37bc1f22f00c352fabf01240eb987b441940d775839c747ea0eb7c9aa76025

Download Submit
C:\Users\Admin\AppData\Local\Temp\lezusi.exe

Filesize
423KB

MD5
b4961c59d60781e97f40e2efcd19caa8

SHA1
d5a85d8e39862d0be974a8bfe97a0401c4380d44

SHA256
6c3230007b545b3d026e21164c0d5befd67ae58bbb11308b93544c6b7cb0e86d

SHA512
3e51f4218bb7295bb4becd5b9e1ba4b10a483f33ec0435223e9154778ee753a9ba37bc1f22f00c352fabf01240eb987b441940d775839c747ea0eb7c9aa76025

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyxoh.exe

Filesize
423KB

MD5
b4961c59d60781e97f40e2efcd19caa8

SHA1
d5a85d8e39862d0be974a8bfe97a0401c4380d44

SHA256
6c3230007b545b3d026e21164c0d5befd67ae58bbb11308b93544c6b7cb0e86d

SHA512
3e51f4218bb7295bb4becd5b9e1ba4b10a483f33ec0435223e9154778ee753a9ba37bc1f22f00c352fabf01240eb987b441940d775839c747ea0eb7c9aa76025

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyxoh.exe

Filesize
423KB

MD5
b4961c59d60781e97f40e2efcd19caa8

SHA1
d5a85d8e39862d0be974a8bfe97a0401c4380d44

SHA256
6c3230007b545b3d026e21164c0d5befd67ae58bbb11308b93544c6b7cb0e86d

SHA512
3e51f4218bb7295bb4becd5b9e1ba4b10a483f33ec0435223e9154778ee753a9ba37bc1f22f00c352fabf01240eb987b441940d775839c747ea0eb7c9aa76025

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyxoh.exe

Filesize
423KB

MD5
b4961c59d60781e97f40e2efcd19caa8

SHA1
d5a85d8e39862d0be974a8bfe97a0401c4380d44

SHA256
6c3230007b545b3d026e21164c0d5befd67ae58bbb11308b93544c6b7cb0e86d

SHA512
3e51f4218bb7295bb4becd5b9e1ba4b10a483f33ec0435223e9154778ee753a9ba37bc1f22f00c352fabf01240eb987b441940d775839c747ea0eb7c9aa76025

Download Submit
memory/1060-24-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1288-39-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1288-36-0x0000000000720000-0x00000000007C3000-memory.dmp

Filesize
652KB

Download
memory/1288-42-0x0000000000720000-0x00000000007C3000-memory.dmp

Filesize
652KB

Download
memory/1288-43-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1288-44-0x0000000000720000-0x00000000007C3000-memory.dmp

Filesize
652KB

Download
memory/1940-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1940-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4756-25-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4756-40-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download