urelas | 2c23cab9e2722ddcc9ea7c78f630ed177cbcda9dd71da2d3d524e5864e9ce2ff

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d171f74d11f49784f4ab635173f33950_JC.exe
Size

450KB
MD5

d171f74d11f49784f4ab635173f33950
SHA1

8e719a662e0a60d3cd34e05e3de6b5be7176ab90
SHA256

2c23cab9e2722ddcc9ea7c78f630ed177cbcda9dd71da2d3d524e5864e9ce2ff
SHA512

6be38cb72a086741cc55c330975b75abbdad0629659802bcc89f5c89d2855982030c2673f8891de4cbfd52919fe9e46eabd91ecf77becc47f669594f19164f11
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoN:PMpASIcWYx2U6hAJQnx

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	gyzei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	qogawe.exe

Executes dropped EXE 3 IoCs

pid	Process
2676	gyzei.exe
944	qogawe.exe
928	azwyk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe
928	azwyk.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 2676	4592	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	88
PID 4592 wrote to memory of 2676	4592	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	88
PID 4592 wrote to memory of 2676	4592	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	88
PID 4592 wrote to memory of 4208	4592	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	89
PID 4592 wrote to memory of 4208	4592	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	89
PID 4592 wrote to memory of 4208	4592	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	89
PID 2676 wrote to memory of 944	2676	gyzei.exe	91
PID 2676 wrote to memory of 944	2676	gyzei.exe	91
PID 2676 wrote to memory of 944	2676	gyzei.exe	91
PID 944 wrote to memory of 928	944	qogawe.exe	106
PID 944 wrote to memory of 928	944	qogawe.exe	106
PID 944 wrote to memory of 928	944	qogawe.exe	106
PID 944 wrote to memory of 4324	944	qogawe.exe	108
PID 944 wrote to memory of 4324	944	qogawe.exe	108
PID 944 wrote to memory of 4324	944	qogawe.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.d171f74d11f49784f4ab635173f33950_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d171f74d11f49784f4ab635173f33950_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\gyzei.exe
  "C:\Users\Admin\AppData\Local\Temp\gyzei.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\qogawe.exe
    "C:\Users\Admin\AppData\Local\Temp\qogawe.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\azwyk.exe
      "C:\Users\Admin\AppData\Local\Temp\azwyk.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
aa1ad13bdf1c8cef820579d3bb182f05

SHA1
eb094f46aedf08325e697fee66b81d52bd137fa6

SHA256
bbf8765a5a2a9e3ecae5445e3ec93172ce9a7847e941bf7e76ec985caced2387

SHA512
0580c49facf2e4868bbc3cf38b37e44885f702c5aa477ebd8197f1964291ecad201d258a776c6c21d4189174e0b5d5564dc21f098117422cb8a3b3ae30258c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6b94aa27fa3222746bd8bacc29f76836

SHA1
fa3ef70f0fdbfbcd5e7f2271e4ce29d53f842445

SHA256
d144bbb698223f87031880d8a4bea0be0d04dc1af94f2c0b69f0553cbe20e132

SHA512
ba7fbdf8b6655f7b945d607a3f5a669681a3927f87d32d07c05141f13e0abb5d374f1ef0409d29543aec9c7906a20395bd28e0961e49afd635a343808c89f485

Download Submit
C:\Users\Admin\AppData\Local\Temp\azwyk.exe

Filesize
223KB

MD5
bc2bb9c17a3ace92b52756c1d599212a

SHA1
7cd5f231230965b8032911d7290d483368c02a1d

SHA256
4f74fab753f3a32272c5efaffd71d8c3cca02d70718fc195d5538df3e78cb118

SHA512
288860daa48255b87e3330970f3ab62739e3aa33359bc7b747097696add0313a60bc76442fc73c50e81c7291952ecad23952c8cff2e48c43f3102a7f9f7a7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\azwyk.exe

Filesize
223KB

MD5
bc2bb9c17a3ace92b52756c1d599212a

SHA1
7cd5f231230965b8032911d7290d483368c02a1d

SHA256
4f74fab753f3a32272c5efaffd71d8c3cca02d70718fc195d5538df3e78cb118

SHA512
288860daa48255b87e3330970f3ab62739e3aa33359bc7b747097696add0313a60bc76442fc73c50e81c7291952ecad23952c8cff2e48c43f3102a7f9f7a7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\azwyk.exe

Filesize
223KB

MD5
bc2bb9c17a3ace92b52756c1d599212a

SHA1
7cd5f231230965b8032911d7290d483368c02a1d

SHA256
4f74fab753f3a32272c5efaffd71d8c3cca02d70718fc195d5538df3e78cb118

SHA512
288860daa48255b87e3330970f3ab62739e3aa33359bc7b747097696add0313a60bc76442fc73c50e81c7291952ecad23952c8cff2e48c43f3102a7f9f7a7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f12b9980c5d57cf65d10a24914f8d2f1

SHA1
181e10e7f3a08729a0c6c6ec492c5e6e9c11fa44

SHA256
da75e009b676011208056c5f8d3ee0e9c6c53d35999c926de6163900e82e3be3

SHA512
ce32a908b40ed6c7580bf8595766819db8630a05997552f64f5c9b58a739cb9ba94282b8e1fd01bfaa94586af045adc59fddfb2cd43057e7b4363b8aad9a6365

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyzei.exe

Filesize
450KB

MD5
3b5d0653c86fbd7d94302280bada607b

SHA1
a6ee5068f67da7f10e267ec844966143702ac1ef

SHA256
d2c59509f49576c650735e9c308146dcaa52c60e1eb2612d0a5a4b667162b684

SHA512
af152ddf833698396273fcb4d9b9df42e5884ef24dc3a5ad68a15e5dc4fa106428af63a3f11ca917802fa3ed89630888320cc09c89ade313be860805f3da2603

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyzei.exe

Filesize
450KB

MD5
3b5d0653c86fbd7d94302280bada607b

SHA1
a6ee5068f67da7f10e267ec844966143702ac1ef

SHA256
d2c59509f49576c650735e9c308146dcaa52c60e1eb2612d0a5a4b667162b684

SHA512
af152ddf833698396273fcb4d9b9df42e5884ef24dc3a5ad68a15e5dc4fa106428af63a3f11ca917802fa3ed89630888320cc09c89ade313be860805f3da2603

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyzei.exe

Filesize
450KB

MD5
3b5d0653c86fbd7d94302280bada607b

SHA1
a6ee5068f67da7f10e267ec844966143702ac1ef

SHA256
d2c59509f49576c650735e9c308146dcaa52c60e1eb2612d0a5a4b667162b684

SHA512
af152ddf833698396273fcb4d9b9df42e5884ef24dc3a5ad68a15e5dc4fa106428af63a3f11ca917802fa3ed89630888320cc09c89ade313be860805f3da2603

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogawe.exe

Filesize
450KB

MD5
a71db3da1d32f7221adf66d69fca2fed

SHA1
d8ef491916b16e58715c3497e5749acbd570927f

SHA256
bae7f22cba577b0ceb196255fb3293c2b6e2fdda6a3f00208fe3f91941e11220

SHA512
3f17aad4b0d3a49fc2ecae4214c32361d7f32b42197f83b3a8d868c96c4833172c675c4e47551e6eb2323c2170186cb106280de61fe5189e4e9d17a184e6fbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogawe.exe

Filesize
450KB

MD5
a71db3da1d32f7221adf66d69fca2fed

SHA1
d8ef491916b16e58715c3497e5749acbd570927f

SHA256
bae7f22cba577b0ceb196255fb3293c2b6e2fdda6a3f00208fe3f91941e11220

SHA512
3f17aad4b0d3a49fc2ecae4214c32361d7f32b42197f83b3a8d868c96c4833172c675c4e47551e6eb2323c2170186cb106280de61fe5189e4e9d17a184e6fbd1

Download Submit
memory/928-46-0x0000000000D40000-0x0000000000DE0000-memory.dmp

Filesize
640KB

Download
memory/928-45-0x0000000000D40000-0x0000000000DE0000-memory.dmp

Filesize
640KB

Download
memory/928-44-0x0000000000D40000-0x0000000000DE0000-memory.dmp

Filesize
640KB

Download
memory/928-42-0x0000000000D40000-0x0000000000DE0000-memory.dmp

Filesize
640KB

Download
memory/928-36-0x0000000000D40000-0x0000000000DE0000-memory.dmp

Filesize
640KB

Download
memory/928-37-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/928-43-0x0000000000D40000-0x0000000000DE0000-memory.dmp

Filesize
640KB

Download
memory/944-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/944-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2676-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4592-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4592-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download