urelas | d6151a74dfd8cf801fd50d64b55f7cbb460de07ab075aceb19293c6654dc02c4

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

217e40a87a7b58f96a71855d84417be0_exe32_JC.exe
Size

454KB
MD5

217e40a87a7b58f96a71855d84417be0
SHA1

a6f57e4840b0f13ba6ea9e93cca756b51b017106
SHA256

d6151a74dfd8cf801fd50d64b55f7cbb460de07ab075aceb19293c6654dc02c4
SHA512

f9d67a98bb4d934d7ccc4ed9e0b46ea5bfc4c2b88e53e0813355380c5a32ac707dc586567c2e714c12f9df914948f1767b5a277d12c925d7c013ddf06652838c
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFb:CMpASIcWYx2U6hAJQn6

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	sijyg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	zilyso.exe

Executes dropped EXE 3 IoCs

pid	Process
884	sijyg.exe
260	zilyso.exe
4996	zicev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe
4996	zicev.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 884	3436	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	84
PID 3436 wrote to memory of 884	3436	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	84
PID 3436 wrote to memory of 884	3436	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	84
PID 3436 wrote to memory of 2296	3436	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	85
PID 3436 wrote to memory of 2296	3436	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	85
PID 3436 wrote to memory of 2296	3436	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	85
PID 884 wrote to memory of 260	884	sijyg.exe	87
PID 884 wrote to memory of 260	884	sijyg.exe	87
PID 884 wrote to memory of 260	884	sijyg.exe	87
PID 260 wrote to memory of 4996	260	zilyso.exe	97
PID 260 wrote to memory of 4996	260	zilyso.exe	97
PID 260 wrote to memory of 4996	260	zilyso.exe	97
PID 260 wrote to memory of 3132	260	zilyso.exe	98
PID 260 wrote to memory of 3132	260	zilyso.exe	98
PID 260 wrote to memory of 3132	260	zilyso.exe	98

C:\Users\Admin\AppData\Local\Temp\217e40a87a7b58f96a71855d84417be0_exe32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\217e40a87a7b58f96a71855d84417be0_exe32_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\sijyg.exe
  "C:\Users\Admin\AppData\Local\Temp\sijyg.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\zilyso.exe
    "C:\Users\Admin\AppData\Local\Temp\zilyso.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:260
  - - C:\Users\Admin\AppData\Local\Temp\zicev.exe
      "C:\Users\Admin\AppData\Local\Temp\zicev.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
294B

MD5
162ce3d9514831ed6f299cb3a0bf1b94

SHA1
7aeb39aa9a25bbc217e95d841b8d719332f6a554

SHA256
4faae3feb17c0f110a62bbdb83beac9b0f2a6a4f344862781bcda268d9947549

SHA512
101031ef4e6b523a826e7c47b38c4fa3c49c1e850517e5d73778e083a0bfc772ac0256c801f50192048060c795a253b5c0c5220dff8ae045b10eb8bf4c7fbdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8ee50ef47e0c6455ae681dc5e9b5c72b

SHA1
37cee32acd76db3df44727cb5c2c05c210bc737d

SHA256
5faaaa6478ae95bd1e0874001227ba40622426d18fef247e0da855dfffb188cc

SHA512
5229471f997e1639c545bf55f72268df379f2be162a9e89316863b42a41beb129fd0e5e731744feb25845394a0ba538d33854f3b039bbac975ec4ad60f54def3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
79b992dac9ab48ae6677e1ad0d7992e5

SHA1
3bccbeddcd7cd98c40a161a17261718352b97cff

SHA256
02bb75e72f65f310ce3c8db11e250cb52abe8863abb4979c3accc87db1d6ead8

SHA512
45aae1ca1bde6bad71c8b662c367763ba92d5ea9b88ffb4bd8d359c5209d88dc1560cf05a027e361a578b83372584b9234dc0fe7d55247b1e34ed7c6922a72f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sijyg.exe

Filesize
454KB

MD5
814959fb8f197258b0427152f240d73a

SHA1
c89a42a5b85f8b94dc80aa4f93b870b91d590b29

SHA256
3002a360812a6d5ab880998e4e7c1ab801aefa5246ca86cb516858a6cc250a8a

SHA512
7a8b6f047709f55c7ca73f8d508239515ba4a855d8492293decd779e9b8e919e44d7ac3d44e0ddf6a81ecd0b768cd574ffc8cc4c067d453a0baf4d94c8a02cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sijyg.exe

Filesize
454KB

MD5
814959fb8f197258b0427152f240d73a

SHA1
c89a42a5b85f8b94dc80aa4f93b870b91d590b29

SHA256
3002a360812a6d5ab880998e4e7c1ab801aefa5246ca86cb516858a6cc250a8a

SHA512
7a8b6f047709f55c7ca73f8d508239515ba4a855d8492293decd779e9b8e919e44d7ac3d44e0ddf6a81ecd0b768cd574ffc8cc4c067d453a0baf4d94c8a02cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sijyg.exe

Filesize
454KB

MD5
814959fb8f197258b0427152f240d73a

SHA1
c89a42a5b85f8b94dc80aa4f93b870b91d590b29

SHA256
3002a360812a6d5ab880998e4e7c1ab801aefa5246ca86cb516858a6cc250a8a

SHA512
7a8b6f047709f55c7ca73f8d508239515ba4a855d8492293decd779e9b8e919e44d7ac3d44e0ddf6a81ecd0b768cd574ffc8cc4c067d453a0baf4d94c8a02cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zicev.exe

Filesize
223KB

MD5
6414b59c9e5dd8410b2f6c6fd94c1688

SHA1
f3b65ffe0d7c8408996efcf825e43ec7f247552e

SHA256
96ad80ae157f9da590a43ebac1c7b54eea49049530b6058793d444fb4db11f7a

SHA512
872ac733bca21518178c56bc7ec204fd122dd3c3e0c00bd73761c0fcb7ee50f064a8ad20933e11015e3caac8c164ec2ca890b4f64a5747be52daeeb554eb9b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zicev.exe

Filesize
223KB

MD5
6414b59c9e5dd8410b2f6c6fd94c1688

SHA1
f3b65ffe0d7c8408996efcf825e43ec7f247552e

SHA256
96ad80ae157f9da590a43ebac1c7b54eea49049530b6058793d444fb4db11f7a

SHA512
872ac733bca21518178c56bc7ec204fd122dd3c3e0c00bd73761c0fcb7ee50f064a8ad20933e11015e3caac8c164ec2ca890b4f64a5747be52daeeb554eb9b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zicev.exe

Filesize
223KB

MD5
6414b59c9e5dd8410b2f6c6fd94c1688

SHA1
f3b65ffe0d7c8408996efcf825e43ec7f247552e

SHA256
96ad80ae157f9da590a43ebac1c7b54eea49049530b6058793d444fb4db11f7a

SHA512
872ac733bca21518178c56bc7ec204fd122dd3c3e0c00bd73761c0fcb7ee50f064a8ad20933e11015e3caac8c164ec2ca890b4f64a5747be52daeeb554eb9b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zilyso.exe

Filesize
454KB

MD5
264742a5b9e8cb5bd258f5bffc4df695

SHA1
fb2a583fa103ba7b8d06aa580028b1e203c4002e

SHA256
3e0810c516b23db9867a84caefd0e4dd1af34edb522f5924226116552d2e9140

SHA512
1386beda6b78b22acc678b424d6fcc7e811cb910e8886be2c3f54609852dab120117aa5f1d7381357a45b024501e5ad51c846dc6210423a3dd06b045f710bfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zilyso.exe

Filesize
454KB

MD5
264742a5b9e8cb5bd258f5bffc4df695

SHA1
fb2a583fa103ba7b8d06aa580028b1e203c4002e

SHA256
3e0810c516b23db9867a84caefd0e4dd1af34edb522f5924226116552d2e9140

SHA512
1386beda6b78b22acc678b424d6fcc7e811cb910e8886be2c3f54609852dab120117aa5f1d7381357a45b024501e5ad51c846dc6210423a3dd06b045f710bfcb

Download Submit
memory/260-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/260-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/884-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3436-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3436-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4996-38-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4996-35-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/4996-42-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/4996-43-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/4996-44-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/4996-45-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download