urelas | 86cc68de2266eaf0560de17db6ecb6b709def9c57ce97d02e5bc0b29ac3d1757

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe
Size

424KB
MD5

e3fefcba5a3db158d0bf494df1a80cf0
SHA1

ff90099b08b134a55bc39970c4f3952d32ca501f
SHA256

86cc68de2266eaf0560de17db6ecb6b709def9c57ce97d02e5bc0b29ac3d1757
SHA512

520200330946490715abf5fae7d73d934a812f759e89633dab8b7561091b597fd27dd20d5b2d3d88aba7439255073989522da6946b33f7d679bfa1420e86dccc
SSDEEP

6144:to3wRi+1Py3V0a2WkQ6P9N2Y/Op9eXQ6fU//BFuHt07Vx9Ulw:w6f1PyKa2u6P9N2y3U/mHyUw

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	dohig.exe

Executes dropped EXE 2 IoCs

pid	Process
2088	dohig.exe
1032	vinog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe
1032	vinog.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2088	1032	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	94
PID 1032 wrote to memory of 2088	1032	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	94
PID 1032 wrote to memory of 2088	1032	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	94
PID 1032 wrote to memory of 32	1032	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	95
PID 1032 wrote to memory of 32	1032	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	95
PID 1032 wrote to memory of 32	1032	NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe	95
PID 2088 wrote to memory of 1032	2088	dohig.exe	111
PID 2088 wrote to memory of 1032	2088	dohig.exe	111
PID 2088 wrote to memory of 1032	2088	dohig.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e3fefcba5a3db158d0bf494df1a80cf0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\dohig.exe
  "C:\Users\Admin\AppData\Local\Temp\dohig.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\vinog.exe
    "C:\Users\Admin\AppData\Local\Temp\vinog.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
3220a78c74f8c72a2bc4ab163889aa4c

SHA1
ea6312cf00fff3b5f9809b600ebed5399d9c9aa8

SHA256
906a392b0af8ee7573e5a6cba81bc2eb335609b9ba8d9bc76a6cc6f41af29c3a

SHA512
d79ee57992db81599a99513ab02986a82653beb9fb1d6d4aa9eeea00c0c1b9df76dd198cf7d83843d000e43cebc6798c2e99855ac0bc6318e6c6b7fab9a40018

Download Submit
C:\Users\Admin\AppData\Local\Temp\dohig.exe

Filesize
424KB

MD5
780dc98f54b6a04565a31b578c8f15ae

SHA1
6bcca9eff12cfb775542134fb05eb86ae0a674da

SHA256
df58926cf32bb6cda8896a0fe4764d329185cb8452c645df052d7ee7b537d6f8

SHA512
502fd214c2fb6c6934816bfd0ccbd236ed367bd90bcf87f92e16a48471a1f6d3f12aa9f923ffa4ebea52bf09a3f8aa90f52d601b99744d675f0504ebe97fbe26

Download Submit
C:\Users\Admin\AppData\Local\Temp\dohig.exe

Filesize
424KB

MD5
780dc98f54b6a04565a31b578c8f15ae

SHA1
6bcca9eff12cfb775542134fb05eb86ae0a674da

SHA256
df58926cf32bb6cda8896a0fe4764d329185cb8452c645df052d7ee7b537d6f8

SHA512
502fd214c2fb6c6934816bfd0ccbd236ed367bd90bcf87f92e16a48471a1f6d3f12aa9f923ffa4ebea52bf09a3f8aa90f52d601b99744d675f0504ebe97fbe26

Download Submit
C:\Users\Admin\AppData\Local\Temp\dohig.exe

Filesize
424KB

MD5
780dc98f54b6a04565a31b578c8f15ae

SHA1
6bcca9eff12cfb775542134fb05eb86ae0a674da

SHA256
df58926cf32bb6cda8896a0fe4764d329185cb8452c645df052d7ee7b537d6f8

SHA512
502fd214c2fb6c6934816bfd0ccbd236ed367bd90bcf87f92e16a48471a1f6d3f12aa9f923ffa4ebea52bf09a3f8aa90f52d601b99744d675f0504ebe97fbe26

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
118a880bacf4cfb76548653736d93a17

SHA1
fd744062ae308567653f53d2226f648fc10c1434

SHA256
96a06705dc6132b42d1eba9620d6fe95b43ea926aca788fd6fcd345181af3b11

SHA512
c70d79507c8166e018e91cbe9065a5271214851cb4e441c2ddba867c7870d6fe6ad844645f33f07e48d31e0f4d3e126f3e4e860337eb85e72ecf5952e02d2f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vinog.exe

Filesize
208KB

MD5
ba357b13baf26ddf3fd03a707a6c7fbd

SHA1
3d9f8f2c5f2f000d9ee8c2e77b68319822e5ebd8

SHA256
10bb5dba0fea6862a0f79087294636694db094ffffdff565a1ed6f25a37596b0

SHA512
253fd07ed1efb7d703d88976f592061b551b046f2fda17da73ae773e17c92013c9edc4d3a6a97972d8c592e81811e567180445d47e9c37128af28403dc300250

Download Submit
C:\Users\Admin\AppData\Local\Temp\vinog.exe

Filesize
208KB

MD5
ba357b13baf26ddf3fd03a707a6c7fbd

SHA1
3d9f8f2c5f2f000d9ee8c2e77b68319822e5ebd8

SHA256
10bb5dba0fea6862a0f79087294636694db094ffffdff565a1ed6f25a37596b0

SHA512
253fd07ed1efb7d703d88976f592061b551b046f2fda17da73ae773e17c92013c9edc4d3a6a97972d8c592e81811e567180445d47e9c37128af28403dc300250

Download Submit
C:\Users\Admin\AppData\Local\Temp\vinog.exe

Filesize
208KB

MD5
ba357b13baf26ddf3fd03a707a6c7fbd

SHA1
3d9f8f2c5f2f000d9ee8c2e77b68319822e5ebd8

SHA256
10bb5dba0fea6862a0f79087294636694db094ffffdff565a1ed6f25a37596b0

SHA512
253fd07ed1efb7d703d88976f592061b551b046f2fda17da73ae773e17c92013c9edc4d3a6a97972d8c592e81811e567180445d47e9c37128af28403dc300250

Download Submit
memory/1032-14-0x00000000007E0000-0x000000000084C000-memory.dmp

Filesize
432KB

Download
memory/1032-0-0x00000000007E0000-0x000000000084C000-memory.dmp

Filesize
432KB

Download
memory/1032-25-0x0000000000430000-0x00000000004CE000-memory.dmp

Filesize
632KB

Download
memory/1032-28-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1032-30-0x0000000000430000-0x00000000004CE000-memory.dmp

Filesize
632KB

Download
memory/1032-31-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1032-32-0x0000000000430000-0x00000000004CE000-memory.dmp

Filesize
632KB

Download
memory/1032-33-0x0000000000430000-0x00000000004CE000-memory.dmp

Filesize
632KB

Download
memory/1032-34-0x0000000000430000-0x00000000004CE000-memory.dmp

Filesize
632KB

Download
memory/1032-35-0x0000000000430000-0x00000000004CE000-memory.dmp

Filesize
632KB

Download
memory/2088-17-0x0000000000F00000-0x0000000000F6C000-memory.dmp

Filesize
432KB

Download
memory/2088-12-0x0000000000F00000-0x0000000000F6C000-memory.dmp

Filesize
432KB

Download
memory/2088-26-0x0000000000F00000-0x0000000000F6C000-memory.dmp

Filesize
432KB

Download