urelas | 3ed4c393a9e6d89cbd1cccfb8e49fae690fe47275430ed231056e4f53c62a87d

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.df3687312fc920f741b48436a5b26ee0.exe
Size

461KB
MD5

df3687312fc920f741b48436a5b26ee0
SHA1

fb4deb7410ee017a65c07da0eb75b75fa6101da3
SHA256

3ed4c393a9e6d89cbd1cccfb8e49fae690fe47275430ed231056e4f53c62a87d
SHA512

e90c23f9df791b2588f3cf2f4346d1a119a16c2694cabd8eccd10c614fdbaadb2281812a8782e90c52f5b6300f59919cd31acd41d5a0b4a9998ef7cc68afac4d
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6mwrxcvkzmSOphmZ:PMpASIcWYx2U6kQnD

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	NEAS.df3687312fc920f741b48436a5b26ee0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	ezruq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	hofedu.exe

Executes dropped EXE 3 IoCs

pid	Process
2516	ezruq.exe
2392	hofedu.exe
2860	mugob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2812	2860	WerFault.exe	112
3880	2860	WerFault.exe	112

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2516	2912	NEAS.df3687312fc920f741b48436a5b26ee0.exe	89
PID 2912 wrote to memory of 2516	2912	NEAS.df3687312fc920f741b48436a5b26ee0.exe	89
PID 2912 wrote to memory of 2516	2912	NEAS.df3687312fc920f741b48436a5b26ee0.exe	89
PID 2912 wrote to memory of 3880	2912	NEAS.df3687312fc920f741b48436a5b26ee0.exe	90
PID 2912 wrote to memory of 3880	2912	NEAS.df3687312fc920f741b48436a5b26ee0.exe	90
PID 2912 wrote to memory of 3880	2912	NEAS.df3687312fc920f741b48436a5b26ee0.exe	90
PID 2516 wrote to memory of 2392	2516	ezruq.exe	92
PID 2516 wrote to memory of 2392	2516	ezruq.exe	92
PID 2516 wrote to memory of 2392	2516	ezruq.exe	92
PID 2392 wrote to memory of 2860	2392	hofedu.exe	112
PID 2392 wrote to memory of 2860	2392	hofedu.exe	112
PID 2392 wrote to memory of 2860	2392	hofedu.exe	112
PID 2392 wrote to memory of 4132	2392	hofedu.exe	114
PID 2392 wrote to memory of 4132	2392	hofedu.exe	114
PID 2392 wrote to memory of 4132	2392	hofedu.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.df3687312fc920f741b48436a5b26ee0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.df3687312fc920f741b48436a5b26ee0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\ezruq.exe
  "C:\Users\Admin\AppData\Local\Temp\ezruq.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\hofedu.exe
    "C:\Users\Admin\AppData\Local\Temp\hofedu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\mugob.exe
      "C:\Users\Admin\AppData\Local\Temp\mugob.exe"
      4⤵
      Executes dropped EXE
      PID:2860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 216
        5⤵
        Program crash
        
        PID:2812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 220
        5⤵
        Program crash
        
        PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2860 -ip 2860
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2860 -ip 2860
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
ba5d7be6013359a376e4297ed7e03643

SHA1
33e2d0aee0a7815c2fd549553fb8ca37cfc5fa57

SHA256
b97f584b9b367eddc87243d821e252f62b9feeb7a48f21eaafb9fed6fa3db2c7

SHA512
d1ff7176190e63ffe489ef59208b109f791eaf3ef1486136cca6e994091dbc17dbdd32c404397b20d1c2971ba8f1e94b9e5e9db228344add07050ecf727f717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7e16abc31b2bd45cbaa85da87e026d2e

SHA1
15a08abdb06e32394e5025e41687f45ae2fb6e3d

SHA256
ff36b9840069870328ac5b4125ea56298e7cac84f93900dd7fdf2a2a3feaaa08

SHA512
dc5583f0131bef08d0dd1b4315cc390fb7dc95d87e259af82163d8b49cde9febf839e999b6682795b03ec2e4986a8d58b01231135be32ce7d8f5f855923f94d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezruq.exe

Filesize
462KB

MD5
29c395eaec0bd33760f4ff026dc8d40f

SHA1
280ee3b60577dd63551d52df1ccb7df3d82bcbc5

SHA256
b94cb463489436ad272bb29dda60d38e5b4b0124030dfc4dc37eb6c013027374

SHA512
c76a3face9b270d63f18138c36385ab6124e6c01a2a546a1f3da0386ce06ec4a8197c1cde80a7356a5c117e5170e5825339e80a34b4bba69d0b69c341b0bc59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezruq.exe

Filesize
462KB

MD5
29c395eaec0bd33760f4ff026dc8d40f

SHA1
280ee3b60577dd63551d52df1ccb7df3d82bcbc5

SHA256
b94cb463489436ad272bb29dda60d38e5b4b0124030dfc4dc37eb6c013027374

SHA512
c76a3face9b270d63f18138c36385ab6124e6c01a2a546a1f3da0386ce06ec4a8197c1cde80a7356a5c117e5170e5825339e80a34b4bba69d0b69c341b0bc59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezruq.exe

Filesize
462KB

MD5
29c395eaec0bd33760f4ff026dc8d40f

SHA1
280ee3b60577dd63551d52df1ccb7df3d82bcbc5

SHA256
b94cb463489436ad272bb29dda60d38e5b4b0124030dfc4dc37eb6c013027374

SHA512
c76a3face9b270d63f18138c36385ab6124e6c01a2a546a1f3da0386ce06ec4a8197c1cde80a7356a5c117e5170e5825339e80a34b4bba69d0b69c341b0bc59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
28ed0ed7cf1ab3a85b0951daa4c60b22

SHA1
0e6b1806394034453a10a4d850007dad8ad4cf5e

SHA256
bbad2bbb6330c8ddb7b563699814bc3c838495d8629e40ee1b1e2a0aed6c621f

SHA512
ca728f2d8a163d7329fbe1fa26c77c19a90d59bbfaba3f2ff3d82c9d97dc80be17898ce3484e57d98266db8d5485578186214201f31709707ed3e4cc5b228779

Download Submit
C:\Users\Admin\AppData\Local\Temp\hofedu.exe

Filesize
462KB

MD5
d351050bcf0e1a93dbd42d00318100ed

SHA1
65486487dbe2a957128862bb599c0094f6f6cefe

SHA256
4e8e700d870f14fe04f23fe9622cdeb0dc48136d589a2057fbc78197fcfd538d

SHA512
7348ef844bfdc51feb9a6773c0acb34a86cbc38b2767d12678f4195db167227f2f9de460a632e560e911586aa8cac1565b8e29e71a2f7731d88f3ace496e6c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hofedu.exe

Filesize
462KB

MD5
d351050bcf0e1a93dbd42d00318100ed

SHA1
65486487dbe2a957128862bb599c0094f6f6cefe

SHA256
4e8e700d870f14fe04f23fe9622cdeb0dc48136d589a2057fbc78197fcfd538d

SHA512
7348ef844bfdc51feb9a6773c0acb34a86cbc38b2767d12678f4195db167227f2f9de460a632e560e911586aa8cac1565b8e29e71a2f7731d88f3ace496e6c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mugob.exe

Filesize
223KB

MD5
eda8939560f2588970e33a534c4b63b1

SHA1
b3b261ed843ca4705b993152c585d9a74c5bfed3

SHA256
458d6039e7eabd4ee063e1e393623e788c85dc3733f46f11435b2b785062c592

SHA512
b412515d4de543bf43185bd3ffcab71027f471b4f5f14ab1168332fef20dd6a29595ded21f7c07ad37f74115a684b4bc36a99399b0897ffedcc870f1467d9498

Download Submit
C:\Users\Admin\AppData\Local\Temp\mugob.exe

Filesize
223KB

MD5
eda8939560f2588970e33a534c4b63b1

SHA1
b3b261ed843ca4705b993152c585d9a74c5bfed3

SHA256
458d6039e7eabd4ee063e1e393623e788c85dc3733f46f11435b2b785062c592

SHA512
b412515d4de543bf43185bd3ffcab71027f471b4f5f14ab1168332fef20dd6a29595ded21f7c07ad37f74115a684b4bc36a99399b0897ffedcc870f1467d9498

Download Submit
C:\Users\Admin\AppData\Local\Temp\mugob.exe

Filesize
223KB

MD5
eda8939560f2588970e33a534c4b63b1

SHA1
b3b261ed843ca4705b993152c585d9a74c5bfed3

SHA256
458d6039e7eabd4ee063e1e393623e788c85dc3733f46f11435b2b785062c592

SHA512
b412515d4de543bf43185bd3ffcab71027f471b4f5f14ab1168332fef20dd6a29595ded21f7c07ad37f74115a684b4bc36a99399b0897ffedcc870f1467d9498

Download Submit
memory/2392-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2392-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2516-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2516-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2860-36-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2912-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2912-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download