urelas | d89db36777307b0ccee1e2a45bfaccc443ac73a7857abc180214f6c8a1ca0190

Analysis

max time kernel
162s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe
Size

291KB
MD5

60d1c44a86f8b6d8b59ca380556c9340
SHA1

aa55e9b3038377eb4ec6cac5ffa8bb1332922989
SHA256

d89db36777307b0ccee1e2a45bfaccc443ac73a7857abc180214f6c8a1ca0190
SHA512

af9f34e6620a70deb49c88f14c4637ee87a78bc7960f1c55074189c9db041b2030694754743ece2dfd35da6fe9cc1369e40efa8e71a1f1add7baba3b35b1a78b
SSDEEP

6144:zCKw0+tZvozAx9/dpwwyQHhjqZDq8NjPCjEGpAJiJ/L4IR:2JH0Ze8NzIWez4IR

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	rypic.exe

Executes dropped EXE 2 IoCs

pid	Process
3928	rypic.exe
3736	kiwyl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe
3736	kiwyl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3928	2740	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	90
PID 2740 wrote to memory of 3928	2740	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	90
PID 2740 wrote to memory of 3928	2740	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	90
PID 2740 wrote to memory of 5116	2740	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	91
PID 2740 wrote to memory of 5116	2740	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	91
PID 2740 wrote to memory of 5116	2740	NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe	91
PID 3928 wrote to memory of 3736	3928	rypic.exe	97
PID 3928 wrote to memory of 3736	3928	rypic.exe	97
PID 3928 wrote to memory of 3736	3928	rypic.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.60d1c44a86f8b6d8b59ca380556c9340.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\rypic.exe
  "C:\Users\Admin\AppData\Local\Temp\rypic.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\kiwyl.exe
    "C:\Users\Admin\AppData\Local\Temp\kiwyl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
92a9f7de410456a6fe5ee312188a8c24

SHA1
e75dcbec67d7416a14e5dee1a156e2f812f42295

SHA256
3d21d3bf0bbdef3d6578b90889e7ddda84eeb90013459015e9b8c34c8071e9a1

SHA512
2286f3b52e6a1994d56a9381e026f0bdd74770d3e704beda1ffb45ff1f81e5396a715b4efa887dd126742368e8b9e1ee19e4c61b97928e639e3657d95c898a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d1f560eadc2edef771315193617293d1

SHA1
76d30b9483366bbbd5303de8dbb70e701e93f30a

SHA256
59f5bc444d8b584be922c07a969da3d54ac523efb74a2ced7f48029f7371e5a1

SHA512
e93f5fb94997875fc8b465bb3284d5cf13d638f6dc8d1ce8c38bdd67e5a73828c6ac81a59cecca6fabeb6c0e30830514a1584bd075d765607a9835e4a1ce3d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiwyl.exe

Filesize
208KB

MD5
5df15949c0e169fe3db5ed7fc48ade05

SHA1
9494ff122c6d084f084cbf958b3da2a8158f0ba6

SHA256
26a0bc2a77be4107e85029a737f7120f00c5980da9b926dd13225017404df9a2

SHA512
0ecebaec953d212b3a8ec837fc3d8cfb39f01aab650bed0d955eb9755d27724b343fe58b407157d5ee886e44ed387b6e1c1f45b44f42abd4de2233e3ea512933

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiwyl.exe

Filesize
208KB

MD5
5df15949c0e169fe3db5ed7fc48ade05

SHA1
9494ff122c6d084f084cbf958b3da2a8158f0ba6

SHA256
26a0bc2a77be4107e85029a737f7120f00c5980da9b926dd13225017404df9a2

SHA512
0ecebaec953d212b3a8ec837fc3d8cfb39f01aab650bed0d955eb9755d27724b343fe58b407157d5ee886e44ed387b6e1c1f45b44f42abd4de2233e3ea512933

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiwyl.exe

Filesize
208KB

MD5
5df15949c0e169fe3db5ed7fc48ade05

SHA1
9494ff122c6d084f084cbf958b3da2a8158f0ba6

SHA256
26a0bc2a77be4107e85029a737f7120f00c5980da9b926dd13225017404df9a2

SHA512
0ecebaec953d212b3a8ec837fc3d8cfb39f01aab650bed0d955eb9755d27724b343fe58b407157d5ee886e44ed387b6e1c1f45b44f42abd4de2233e3ea512933

Download Submit
C:\Users\Admin\AppData\Local\Temp\rypic.exe

Filesize
291KB

MD5
2c01079dc0d8f5b0db6e75dde2ec64ba

SHA1
fe5c06aee12f4fe974dc6754d8dce3991e5790ac

SHA256
0053190b3219e1a622d24bfe4e9c570ae4628958be1761810e084504e702303f

SHA512
be386631ba4592381ff19a3dbf359fa00579dede5a59c25d2068a71d804561a5bd5716641a85371beb74f83a5fe61d947f082cd81471447b2b10b9b621ed0f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rypic.exe

Filesize
291KB

MD5
2c01079dc0d8f5b0db6e75dde2ec64ba

SHA1
fe5c06aee12f4fe974dc6754d8dce3991e5790ac

SHA256
0053190b3219e1a622d24bfe4e9c570ae4628958be1761810e084504e702303f

SHA512
be386631ba4592381ff19a3dbf359fa00579dede5a59c25d2068a71d804561a5bd5716641a85371beb74f83a5fe61d947f082cd81471447b2b10b9b621ed0f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rypic.exe

Filesize
291KB

MD5
2c01079dc0d8f5b0db6e75dde2ec64ba

SHA1
fe5c06aee12f4fe974dc6754d8dce3991e5790ac

SHA256
0053190b3219e1a622d24bfe4e9c570ae4628958be1761810e084504e702303f

SHA512
be386631ba4592381ff19a3dbf359fa00579dede5a59c25d2068a71d804561a5bd5716641a85371beb74f83a5fe61d947f082cd81471447b2b10b9b621ed0f6c

Download Submit
memory/2740-4-0x0000000000E10000-0x0000000000EBE000-memory.dmp

Filesize
696KB

Download
memory/2740-0-0x0000000000E10000-0x0000000000EBE000-memory.dmp

Filesize
696KB

Download
memory/2740-15-0x0000000000E10000-0x0000000000EBE000-memory.dmp

Filesize
696KB

Download
memory/3736-34-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3736-37-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3736-39-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3736-40-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3736-41-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3736-42-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3736-43-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3736-44-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3928-36-0x0000000000D20000-0x0000000000DCE000-memory.dmp

Filesize
696KB

Download
memory/3928-18-0x0000000000D20000-0x0000000000DCE000-memory.dmp

Filesize
696KB

Download
memory/3928-10-0x0000000000D20000-0x0000000000DCE000-memory.dmp

Filesize
696KB

Download