urelas | a3d93ac6346281e7dee8546016bf2114e3d45e39210b1b45d4a70246d4fa4265

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe
Size

454KB
MD5

1be0175b239625d2b3ed3642c0a703e0
SHA1

f24a9b1e5d8ca62d936c6f320eeaa7b38a6e9272
SHA256

a3d93ac6346281e7dee8546016bf2114e3d45e39210b1b45d4a70246d4fa4265
SHA512

e661f10c66c97276665888c29c3e8341e87d0be098ae7750617e63a582817bbd6ef66860787f4de2fa6f1bb321bcf5e6053c10587c748eaa8bdb3a7334b859f7
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdm/3le:LMpASIcWYx2U6hAJVN0

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	umxuq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	ihbyyz.exe

Executes dropped EXE 3 IoCs

pid	Process
384	umxuq.exe
2068	ihbyyz.exe
1844	hozeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4460	1844	WerFault.exe	109

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 384	3784	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	84
PID 3784 wrote to memory of 384	3784	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	84
PID 3784 wrote to memory of 384	3784	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	84
PID 3784 wrote to memory of 2864	3784	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	85
PID 3784 wrote to memory of 2864	3784	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	85
PID 3784 wrote to memory of 2864	3784	NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe	85
PID 384 wrote to memory of 2068	384	umxuq.exe	88
PID 384 wrote to memory of 2068	384	umxuq.exe	88
PID 384 wrote to memory of 2068	384	umxuq.exe	88
PID 2068 wrote to memory of 1844	2068	ihbyyz.exe	109
PID 2068 wrote to memory of 1844	2068	ihbyyz.exe	109
PID 2068 wrote to memory of 1844	2068	ihbyyz.exe	109
PID 2068 wrote to memory of 4064	2068	ihbyyz.exe	110
PID 2068 wrote to memory of 4064	2068	ihbyyz.exe	110
PID 2068 wrote to memory of 4064	2068	ihbyyz.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1be0175b239625d2b3ed3642c0a703e0_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\umxuq.exe
  "C:\Users\Admin\AppData\Local\Temp\umxuq.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\ihbyyz.exe
    "C:\Users\Admin\AppData\Local\Temp\ihbyyz.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\hozeb.exe
      "C:\Users\Admin\AppData\Local\Temp\hozeb.exe"
      4⤵
      Executes dropped EXE
      PID:1844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 216
        5⤵
        Program crash
        
        PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1844 -ip 1844
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
4d19b5404a4ca690dd1f5cd3ff892ade

SHA1
1bbe4cfbb2cbf082f715e8b83ad0f5e5c5f2b831

SHA256
c3b9ee46b3091cf5ac75ade8d501c1d7f49d7d02efd8d38a30676ea3760b48e5

SHA512
aafff6fdbc7b4cc9809863645d5bee8f49bc4065a04107cb4a407d8a4304b644e3d0dd878d3021baf0e99cba19c3ab6e725726ad36a2fd2d49d1da8d03c5f548

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
27bc58560724f932e9da3aba0812c085

SHA1
99bfc55cce7d1eeb469e6936684e254576ef5fef

SHA256
5301b726f3f8e74a31b6c6639e9b2340d5aab86c2678118eaf44942cdfbffce1

SHA512
872328ab2b69347faf0a890ae44659affd9b679a39a70df1089cfb64a866851f3af2653d6961c92d66e5813902900c5f237469bc8dc652ec9c3cbc3a42dcbe8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
20b8870db42d8500e57582300868f543

SHA1
dfb1db351cf219fac06442319edc7cf1c9d59c3a

SHA256
31d0d584e43337e631a387bee2f0b594c48257f81d5027ade43ccc2ee3cd96f9

SHA512
41e87601f1f084166e429a89542bc79f05e2818b4b67a8fad2edbfad89f2d37f53ddbffa77ba00c56cea53f5be91eb4923128baf1d4b4eba13051f47244b86f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hozeb.exe

Filesize
223KB

MD5
48fc9515d810c6efbebf86b878db5abe

SHA1
220c17aa84026f53192c376d93c99c5395b0db11

SHA256
50c09d2885cd0502da4fc4af2a63c67b54b0d77742617eaa05018630055bbd87

SHA512
aad4c368b412c098daf9a6fa5a5f38e539cbf1ceca588949be0ec91e58b8254d28bc4083c1d27a851365d7aaec984eccd7a69b6bee375a306c23408b92c1a42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hozeb.exe

Filesize
223KB

MD5
48fc9515d810c6efbebf86b878db5abe

SHA1
220c17aa84026f53192c376d93c99c5395b0db11

SHA256
50c09d2885cd0502da4fc4af2a63c67b54b0d77742617eaa05018630055bbd87

SHA512
aad4c368b412c098daf9a6fa5a5f38e539cbf1ceca588949be0ec91e58b8254d28bc4083c1d27a851365d7aaec984eccd7a69b6bee375a306c23408b92c1a42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hozeb.exe

Filesize
223KB

MD5
48fc9515d810c6efbebf86b878db5abe

SHA1
220c17aa84026f53192c376d93c99c5395b0db11

SHA256
50c09d2885cd0502da4fc4af2a63c67b54b0d77742617eaa05018630055bbd87

SHA512
aad4c368b412c098daf9a6fa5a5f38e539cbf1ceca588949be0ec91e58b8254d28bc4083c1d27a851365d7aaec984eccd7a69b6bee375a306c23408b92c1a42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihbyyz.exe

Filesize
454KB

MD5
89a959dc7e3c10201740a33400cbdd0e

SHA1
6ce64102394991bd4edaeea0a5378cfb82fcdb31

SHA256
9179ba3e418a7798ad4938c70ee1e49b0afaba20e7b7e6af4f848ac5c77b3998

SHA512
f6ee9f22f542af7d098d80938b11c7b9baef8f8c6de0190f60f997a06bd7b65f3cae5dbfe9e772328153dd597479e189b09e8cab8cb67907b1c94e77126a2a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihbyyz.exe

Filesize
454KB

MD5
89a959dc7e3c10201740a33400cbdd0e

SHA1
6ce64102394991bd4edaeea0a5378cfb82fcdb31

SHA256
9179ba3e418a7798ad4938c70ee1e49b0afaba20e7b7e6af4f848ac5c77b3998

SHA512
f6ee9f22f542af7d098d80938b11c7b9baef8f8c6de0190f60f997a06bd7b65f3cae5dbfe9e772328153dd597479e189b09e8cab8cb67907b1c94e77126a2a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\umxuq.exe

Filesize
454KB

MD5
cbbda7c3eb614bc6fb21346b0075eac8

SHA1
3f81b08652761194dc5fa609a50db62ee2af025d

SHA256
7ab0e1a2e833cc893088d93bbbe19333d179a4b676ad4b5e0654043e820aa16e

SHA512
58452c06a3dd4bd1d0d3b8412d4eea0d0d111ac5aa61ade19dddeae110402bf3597667f9e0378eac8fd0cfb8458254115e39e42cb21f5e4acfc1e906eecfa84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\umxuq.exe

Filesize
454KB

MD5
cbbda7c3eb614bc6fb21346b0075eac8

SHA1
3f81b08652761194dc5fa609a50db62ee2af025d

SHA256
7ab0e1a2e833cc893088d93bbbe19333d179a4b676ad4b5e0654043e820aa16e

SHA512
58452c06a3dd4bd1d0d3b8412d4eea0d0d111ac5aa61ade19dddeae110402bf3597667f9e0378eac8fd0cfb8458254115e39e42cb21f5e4acfc1e906eecfa84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\umxuq.exe

Filesize
454KB

MD5
cbbda7c3eb614bc6fb21346b0075eac8

SHA1
3f81b08652761194dc5fa609a50db62ee2af025d

SHA256
7ab0e1a2e833cc893088d93bbbe19333d179a4b676ad4b5e0654043e820aa16e

SHA512
58452c06a3dd4bd1d0d3b8412d4eea0d0d111ac5aa61ade19dddeae110402bf3597667f9e0378eac8fd0cfb8458254115e39e42cb21f5e4acfc1e906eecfa84a

Download Submit
memory/384-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1844-37-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2068-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2068-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2068-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3784-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3784-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download