urelas | 2cd4a2228255be8ca927503ca7cb65eaef592eba2738742e889291dfde872d62

Analysis

max time kernel
156s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe
Size

331KB
MD5

8fbfc597ee04d6b9472abe360d5827f0
SHA1

eda2059dbd659cba40089d552a031737e25b1408
SHA256

2cd4a2228255be8ca927503ca7cb65eaef592eba2738742e889291dfde872d62
SHA512

b84ea699d581e610457edf746e82da2557726466d5721ee1fe99fff5114c0aec6fb05541cd86552b5a3f9cdb9da295db8552fa0f435d7f788f7aad90f93e6850
SSDEEP

6144:GLtOexihqv4m+lXD6betiTuBMTWjIDIiUBAkW9UOKMOtzWO8CatspdZ:GL1D+IatauBML42MykRak

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	qisug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wonaxi.exe

Executes dropped EXE 3 IoCs

pid	Process
3104	qisug.exe
4552	wonaxi.exe
3004	atupa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe
3004	atupa.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3104	4052	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	83
PID 4052 wrote to memory of 3104	4052	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	83
PID 4052 wrote to memory of 3104	4052	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	83
PID 4052 wrote to memory of 4408	4052	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	84
PID 4052 wrote to memory of 4408	4052	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	84
PID 4052 wrote to memory of 4408	4052	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	84
PID 3104 wrote to memory of 4552	3104	qisug.exe	87
PID 3104 wrote to memory of 4552	3104	qisug.exe	87
PID 3104 wrote to memory of 4552	3104	qisug.exe	87
PID 4552 wrote to memory of 3004	4552	wonaxi.exe	105
PID 4552 wrote to memory of 3004	4552	wonaxi.exe	105
PID 4552 wrote to memory of 3004	4552	wonaxi.exe	105
PID 4552 wrote to memory of 3736	4552	wonaxi.exe	106
PID 4552 wrote to memory of 3736	4552	wonaxi.exe	106
PID 4552 wrote to memory of 3736	4552	wonaxi.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\qisug.exe
  "C:\Users\Admin\AppData\Local\Temp\qisug.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\wonaxi.exe
    "C:\Users\Admin\AppData\Local\Temp\wonaxi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\atupa.exe
      "C:\Users\Admin\AppData\Local\Temp\atupa.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
448f457f897a2f9e1d5de34c36d99b15

SHA1
69e1cbca2104f95c68aaa776400554af4815982f

SHA256
d8cb895dc81c3ab0235a942df6af7eb9fa2a378ebb616a42e9a090ee0b6eb232

SHA512
786ad7fa9ae972c76129a63383d34ba5f1cf6fb32481a397edf2bb9424d4f0e4b85b99a9be82475de66b7bd2f9b59e085aae8d2b0dd461620ba3984eb0721b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ae745837bbb689b49e91bc46184d59a2

SHA1
75ea5ea4215fb83370911b2fd767743cf37e569f

SHA256
68e2b21706a4a88583c09e4a92d30a72cbb7db5b4e7604a1323f9febfed2abcd

SHA512
83b701bd8e63f10cfcea9c91af3e661bd2c444b33900ab9369141c4c5c290268c8726122a852f7466e91ee7e590fc9bd5b5f79d9a74d928fc9fa63ccd1ce7dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\atupa.exe

Filesize
223KB

MD5
583ff1c1741bc123a55bd1d648e24165

SHA1
070f897714717d8f40dc1fd127861f6b915efaee

SHA256
a0b31271bf6ab0c3a530a3bc1097719d87c8438cb49e34d10c2b1b8a581e159b

SHA512
397f801fdc992ed8583f2a8f7b872c39a5cf886162b07bb91f5fe1eb2fcd561636f2809a407bc6217dd7f0d36bdfe7240c5a5fa416638d87fd2236549c70bf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\atupa.exe

Filesize
223KB

MD5
583ff1c1741bc123a55bd1d648e24165

SHA1
070f897714717d8f40dc1fd127861f6b915efaee

SHA256
a0b31271bf6ab0c3a530a3bc1097719d87c8438cb49e34d10c2b1b8a581e159b

SHA512
397f801fdc992ed8583f2a8f7b872c39a5cf886162b07bb91f5fe1eb2fcd561636f2809a407bc6217dd7f0d36bdfe7240c5a5fa416638d87fd2236549c70bf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\atupa.exe

Filesize
223KB

MD5
583ff1c1741bc123a55bd1d648e24165

SHA1
070f897714717d8f40dc1fd127861f6b915efaee

SHA256
a0b31271bf6ab0c3a530a3bc1097719d87c8438cb49e34d10c2b1b8a581e159b

SHA512
397f801fdc992ed8583f2a8f7b872c39a5cf886162b07bb91f5fe1eb2fcd561636f2809a407bc6217dd7f0d36bdfe7240c5a5fa416638d87fd2236549c70bf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
db69e9eba4f940cc5904c65e3725186b

SHA1
32f20e490215ab8e2d7eac7338036fa8cf036b22

SHA256
7ee3171f5ccb9a86230432c0b7fa0e9990da3c96c2aba60cf67fbd2c8986ee42

SHA512
8934d559af71817c32597e26e258eb163f5406ea322880f4e8acce806ef18e62804dd52b8a392696caee937d041e738f2df78d4de5beaffc285b3cac1ac0db70

Download Submit
C:\Users\Admin\AppData\Local\Temp\qisug.exe

Filesize
331KB

MD5
3d539b3fee802f63b1faa8b06d716924

SHA1
776a044bbf32c65e3e6f666110988af88e1b0c8f

SHA256
0af5f612b9c14cd7b0f5bd520d07c7e0edd56a340a80317dd0f859c0bf1d072e

SHA512
786577a81261d57d4993fc550e54af1dd92a4c50b12ba1c667e5387f81b64a4170edd4ba31010e4b7c64a423f8a974273c87af3f33afebf65b4becb2f7d0c011

Download Submit
C:\Users\Admin\AppData\Local\Temp\qisug.exe

Filesize
331KB

MD5
3d539b3fee802f63b1faa8b06d716924

SHA1
776a044bbf32c65e3e6f666110988af88e1b0c8f

SHA256
0af5f612b9c14cd7b0f5bd520d07c7e0edd56a340a80317dd0f859c0bf1d072e

SHA512
786577a81261d57d4993fc550e54af1dd92a4c50b12ba1c667e5387f81b64a4170edd4ba31010e4b7c64a423f8a974273c87af3f33afebf65b4becb2f7d0c011

Download Submit
C:\Users\Admin\AppData\Local\Temp\qisug.exe

Filesize
331KB

MD5
3d539b3fee802f63b1faa8b06d716924

SHA1
776a044bbf32c65e3e6f666110988af88e1b0c8f

SHA256
0af5f612b9c14cd7b0f5bd520d07c7e0edd56a340a80317dd0f859c0bf1d072e

SHA512
786577a81261d57d4993fc550e54af1dd92a4c50b12ba1c667e5387f81b64a4170edd4ba31010e4b7c64a423f8a974273c87af3f33afebf65b4becb2f7d0c011

Download Submit
C:\Users\Admin\AppData\Local\Temp\wonaxi.exe

Filesize
331KB

MD5
4d8806ad993b765d873ee66717f6d74f

SHA1
d831eda918ab8e3e659cb30f39effd02b6b4dcec

SHA256
d1faeb1f6550b386e9831306bdc6bae367b4dae4e98763866705dcf7db4c9d4a

SHA512
cad68498baddccb4aff1513fc2a6cd498b25a5ef01600080b04deb3bd59adf3c12fba4fac0cb6132a8e0d933e41ecd7c42dac477ee9ca1bb6042a22d8c93f583

Download Submit
C:\Users\Admin\AppData\Local\Temp\wonaxi.exe

Filesize
331KB

MD5
4d8806ad993b765d873ee66717f6d74f

SHA1
d831eda918ab8e3e659cb30f39effd02b6b4dcec

SHA256
d1faeb1f6550b386e9831306bdc6bae367b4dae4e98763866705dcf7db4c9d4a

SHA512
cad68498baddccb4aff1513fc2a6cd498b25a5ef01600080b04deb3bd59adf3c12fba4fac0cb6132a8e0d933e41ecd7c42dac477ee9ca1bb6042a22d8c93f583

Download Submit
memory/3004-48-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3004-44-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/3004-58-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/3004-57-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/3004-56-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/3004-55-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/3004-54-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3004-53-0x0000000000620000-0x00000000006C0000-memory.dmp

Filesize
640KB

Download
memory/3104-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3104-13-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4052-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4052-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4052-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4552-50-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4552-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4552-28-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download