urelas | 342dc773c402041344590fb7a2aad07f560600fd0ce1649df078ff921d0795c7

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ba83637a43cd8c8af9251c7976301740.exe
Size

482KB
MD5

ba83637a43cd8c8af9251c7976301740
SHA1

5e57345dc28137342cf567df73ed538b944d4f64
SHA256

342dc773c402041344590fb7a2aad07f560600fd0ce1649df078ff921d0795c7
SHA512

d48d22e4b196152bb7b108d6ad4aa3300802456f5919c8eac30f9fce8fb6c917cb7e1f3f81f6aad35f546743d9adc17f3fa49dcb28ae7a4ddc6043aedf482219
SSDEEP

12288:2pbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbcJ:2pbXi5xzFUBaazsiofx8G

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	lypyx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.ba83637a43cd8c8af9251c7976301740.exe

Executes dropped EXE 2 IoCs

pid	Process
3852	lypyx.exe
1852	xoriq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe
1852	xoriq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3852	3736	NEAS.ba83637a43cd8c8af9251c7976301740.exe	90
PID 3736 wrote to memory of 3852	3736	NEAS.ba83637a43cd8c8af9251c7976301740.exe	90
PID 3736 wrote to memory of 3852	3736	NEAS.ba83637a43cd8c8af9251c7976301740.exe	90
PID 3736 wrote to memory of 2688	3736	NEAS.ba83637a43cd8c8af9251c7976301740.exe	91
PID 3736 wrote to memory of 2688	3736	NEAS.ba83637a43cd8c8af9251c7976301740.exe	91
PID 3736 wrote to memory of 2688	3736	NEAS.ba83637a43cd8c8af9251c7976301740.exe	91
PID 3852 wrote to memory of 1852	3852	lypyx.exe	105
PID 3852 wrote to memory of 1852	3852	lypyx.exe	105
PID 3852 wrote to memory of 1852	3852	lypyx.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.ba83637a43cd8c8af9251c7976301740.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ba83637a43cd8c8af9251c7976301740.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\lypyx.exe
  "C:\Users\Admin\AppData\Local\Temp\lypyx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\xoriq.exe
    "C:\Users\Admin\AppData\Local\Temp\xoriq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
74c8196e17c0e02cacac6118b837be21

SHA1
c805901778379686e2f0d9c8e8dda63f6191bcac

SHA256
42ca45882efa9d97c4fba82f2e36b634530af4198bbff5eaa63c8ced7e9dbfc4

SHA512
5ebc70ad1cda3cf60ebe9e109dccd6de95ff78df7d02db1fe139a8ddee654341cc45bd069b83f8c432528d69d2cc028482be6534b929a6eafcec1de0f18285ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
11641d224d2cb44cc8a18301071e559d

SHA1
93b2537478e6118927e6f95d655b552657bd99b0

SHA256
0d277745a6d4177a9e0f0a37febb5e0edde2a04b8d26dab55410d054fea7d06c

SHA512
6d43716e650b1f892a81df563c5a7de54068f04b8f2685693f7dbcf4f30d9a93c4b42f2107dfe59af579ac04de7b5c90220454a029774252b3bf2caf0f5a7a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\lypyx.exe

Filesize
482KB

MD5
920358ab6d8b2bd1bbc957d703407d00

SHA1
cf50ebef95ec96d6290e1341fb28cbd39c403bf6

SHA256
4d9f4e08acbc8667cc220b71e3072ab1a429b23939738aa34bb3e0976553b825

SHA512
77e3852e3813463cbe1c0e9a174f0643973002a9c1368d11b86adfcc883a5712073d606ba6f345347decd5ca36be6c96361232ad983e11f8278fda7e3d32c7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lypyx.exe

Filesize
482KB

MD5
920358ab6d8b2bd1bbc957d703407d00

SHA1
cf50ebef95ec96d6290e1341fb28cbd39c403bf6

SHA256
4d9f4e08acbc8667cc220b71e3072ab1a429b23939738aa34bb3e0976553b825

SHA512
77e3852e3813463cbe1c0e9a174f0643973002a9c1368d11b86adfcc883a5712073d606ba6f345347decd5ca36be6c96361232ad983e11f8278fda7e3d32c7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lypyx.exe

Filesize
482KB

MD5
920358ab6d8b2bd1bbc957d703407d00

SHA1
cf50ebef95ec96d6290e1341fb28cbd39c403bf6

SHA256
4d9f4e08acbc8667cc220b71e3072ab1a429b23939738aa34bb3e0976553b825

SHA512
77e3852e3813463cbe1c0e9a174f0643973002a9c1368d11b86adfcc883a5712073d606ba6f345347decd5ca36be6c96361232ad983e11f8278fda7e3d32c7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoriq.exe

Filesize
217KB

MD5
29b62ea85dbce6a7f4c1bfbffab75a0f

SHA1
8a2a6af95afbd623d828311f94c9602f645f1d97

SHA256
f8efd80a23e2646dc4f1cca19790845fd0f8e2039d80afb304205b9047ec8194

SHA512
cb3ea3409e2823af1011c21d01edb930ed4427cc95cb44b0b0f4d58fb1e9eccf297eba4542362e2763439b1ab54d92b0fc3d42c96edaeb981884f5cce2fd9270

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoriq.exe

Filesize
217KB

MD5
29b62ea85dbce6a7f4c1bfbffab75a0f

SHA1
8a2a6af95afbd623d828311f94c9602f645f1d97

SHA256
f8efd80a23e2646dc4f1cca19790845fd0f8e2039d80afb304205b9047ec8194

SHA512
cb3ea3409e2823af1011c21d01edb930ed4427cc95cb44b0b0f4d58fb1e9eccf297eba4542362e2763439b1ab54d92b0fc3d42c96edaeb981884f5cce2fd9270

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoriq.exe

Filesize
217KB

MD5
29b62ea85dbce6a7f4c1bfbffab75a0f

SHA1
8a2a6af95afbd623d828311f94c9602f645f1d97

SHA256
f8efd80a23e2646dc4f1cca19790845fd0f8e2039d80afb304205b9047ec8194

SHA512
cb3ea3409e2823af1011c21d01edb930ed4427cc95cb44b0b0f4d58fb1e9eccf297eba4542362e2763439b1ab54d92b0fc3d42c96edaeb981884f5cce2fd9270

Download Submit
memory/1852-30-0x0000000000500000-0x00000000005B4000-memory.dmp

Filesize
720KB

Download
memory/1852-28-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/1852-26-0x0000000000500000-0x00000000005B4000-memory.dmp

Filesize
720KB

Download
memory/1852-31-0x0000000000500000-0x00000000005B4000-memory.dmp

Filesize
720KB

Download
memory/1852-32-0x0000000000500000-0x00000000005B4000-memory.dmp

Filesize
720KB

Download
memory/1852-33-0x0000000000500000-0x00000000005B4000-memory.dmp

Filesize
720KB

Download
memory/1852-34-0x0000000000500000-0x00000000005B4000-memory.dmp

Filesize
720KB

Download
memory/3736-14-0x00000000005F0000-0x0000000000678000-memory.dmp

Filesize
544KB

Download
memory/3736-0-0x00000000005F0000-0x0000000000678000-memory.dmp

Filesize
544KB

Download
memory/3852-17-0x0000000000B90000-0x0000000000C18000-memory.dmp

Filesize
544KB

Download
memory/3852-10-0x0000000000B90000-0x0000000000C18000-memory.dmp

Filesize
544KB

Download
memory/3852-27-0x0000000000B90000-0x0000000000C18000-memory.dmp

Filesize
544KB

Download