urelas | ce88880c864e08ea3f05fda81c87f9836b911e749a5c06128ff680ec14a31e56

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.82d8f58a170837c3a8426a6a3d372740.exe
Size

436KB
MD5

82d8f58a170837c3a8426a6a3d372740
SHA1

b560ced3c13531bacd2df377e93b54cc430e157f
SHA256

ce88880c864e08ea3f05fda81c87f9836b911e749a5c06128ff680ec14a31e56
SHA512

c3fe4fdd54a124639ef2f863809ff9e8d59edb4f9f5e21b2c90270461255113c38fcaca6037995b87c9bdc76f401313239035bcacdcb8e794f0a2915ca64e943
SSDEEP

6144:0KcGGKC2No1dYL+cuGvd7jpBAbn+cioljJCnViTQBCA8R8Fs5cvxFQLrANOqk:G1KCJcuGvFpBAbnJj4nfBKmxFUrAlk

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.82d8f58a170837c3a8426a6a3d372740.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	roxyc.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	roxyc.exe
3352	epqis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe
3352	epqis.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3052	2212	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	89
PID 2212 wrote to memory of 3052	2212	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	89
PID 2212 wrote to memory of 3052	2212	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	89
PID 2212 wrote to memory of 4340	2212	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	90
PID 2212 wrote to memory of 4340	2212	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	90
PID 2212 wrote to memory of 4340	2212	NEAS.82d8f58a170837c3a8426a6a3d372740.exe	90
PID 3052 wrote to memory of 3352	3052	roxyc.exe	104
PID 3052 wrote to memory of 3352	3052	roxyc.exe	104
PID 3052 wrote to memory of 3352	3052	roxyc.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.82d8f58a170837c3a8426a6a3d372740.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.82d8f58a170837c3a8426a6a3d372740.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\roxyc.exe
  "C:\Users\Admin\AppData\Local\Temp\roxyc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\epqis.exe
    "C:\Users\Admin\AppData\Local\Temp\epqis.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
9e0157787d337ab97816d790f66ba499

SHA1
8aea5be667d5a627b444cbe13ebce0ed7dca8d21

SHA256
a099c5cc7259c6a4875fae54ff2d720252932ee65d7450197181bb40eea90070

SHA512
b815f63578fc389140aedc29aa5a8f62552bb8223873739f8a70fb75605cc7a4ce16292fc6002223adaf766748c0ba81623c417fa389d4a03203e9e24c9c4292

Download Submit
C:\Users\Admin\AppData\Local\Temp\epqis.exe

Filesize
196KB

MD5
ed7d1971c70f53e93d429e3c0645d382

SHA1
28c5691e580df642aa5695b95da585e121727827

SHA256
f1b78490d5f4fa037025f1b74c5fa651c71f24f1df93e241a50d41a2b9e4e856

SHA512
bc7121acbcfb681b05bcec25d77fa5a1b60c286a89eb1f1566ac3d21b7fcb89f4b6e3d455f2d57548a6a91122c9a4371c5bb0c2124840ec668131fcbefbb726a

Download Submit
C:\Users\Admin\AppData\Local\Temp\epqis.exe

Filesize
196KB

MD5
ed7d1971c70f53e93d429e3c0645d382

SHA1
28c5691e580df642aa5695b95da585e121727827

SHA256
f1b78490d5f4fa037025f1b74c5fa651c71f24f1df93e241a50d41a2b9e4e856

SHA512
bc7121acbcfb681b05bcec25d77fa5a1b60c286a89eb1f1566ac3d21b7fcb89f4b6e3d455f2d57548a6a91122c9a4371c5bb0c2124840ec668131fcbefbb726a

Download Submit
C:\Users\Admin\AppData\Local\Temp\epqis.exe

Filesize
196KB

MD5
ed7d1971c70f53e93d429e3c0645d382

SHA1
28c5691e580df642aa5695b95da585e121727827

SHA256
f1b78490d5f4fa037025f1b74c5fa651c71f24f1df93e241a50d41a2b9e4e856

SHA512
bc7121acbcfb681b05bcec25d77fa5a1b60c286a89eb1f1566ac3d21b7fcb89f4b6e3d455f2d57548a6a91122c9a4371c5bb0c2124840ec668131fcbefbb726a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8569d9e0e742393343d004387be859fd

SHA1
867709f540ac6f3d9ee16ecc2d053858b2076d90

SHA256
91a1a8d45e94fe95de955d17fd6e5ac94f7a0b8133c6909059aa3e1b19ae810f

SHA512
d3001ce6e57eccd0167ececed75adbdbfb94d3e9e11a66b517506d6b1056abaf26169bc01f69a64b29ed99b9b4938d20bbcd284ebb5e4fe45dbe6ceca09eef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxyc.exe

Filesize
436KB

MD5
36f55b0591b60d32d29517bed0f0db7d

SHA1
602da6c05dba601572cbf1d91bd2f0ca565840ed

SHA256
56c98b400c120779b75fe61b2edd97c7fc0f3700b0df364d92df0527bd2689f0

SHA512
6214d7d5ccaba3b0701215966d06ef2e7e4ff703563e48202d8d6bcbc53caafa6d05d78ebacc06cd1c7ba6c338a72275d36315c08f76e8e395582b82827a4249

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxyc.exe

Filesize
436KB

MD5
36f55b0591b60d32d29517bed0f0db7d

SHA1
602da6c05dba601572cbf1d91bd2f0ca565840ed

SHA256
56c98b400c120779b75fe61b2edd97c7fc0f3700b0df364d92df0527bd2689f0

SHA512
6214d7d5ccaba3b0701215966d06ef2e7e4ff703563e48202d8d6bcbc53caafa6d05d78ebacc06cd1c7ba6c338a72275d36315c08f76e8e395582b82827a4249

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxyc.exe

Filesize
436KB

MD5
36f55b0591b60d32d29517bed0f0db7d

SHA1
602da6c05dba601572cbf1d91bd2f0ca565840ed

SHA256
56c98b400c120779b75fe61b2edd97c7fc0f3700b0df364d92df0527bd2689f0

SHA512
6214d7d5ccaba3b0701215966d06ef2e7e4ff703563e48202d8d6bcbc53caafa6d05d78ebacc06cd1c7ba6c338a72275d36315c08f76e8e395582b82827a4249

Download Submit
memory/2212-1-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/2212-0-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/2212-16-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/3052-10-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3052-19-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3052-35-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3052-15-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3352-37-0x0000000000600000-0x0000000000695000-memory.dmp

Filesize
596KB

Download
memory/3352-39-0x0000000000600000-0x0000000000695000-memory.dmp

Filesize
596KB

Download
memory/3352-40-0x0000000000600000-0x0000000000695000-memory.dmp

Filesize
596KB

Download
memory/3352-41-0x0000000000600000-0x0000000000695000-memory.dmp

Filesize
596KB

Download
memory/3352-42-0x0000000000600000-0x0000000000695000-memory.dmp

Filesize
596KB

Download
memory/3352-43-0x0000000000600000-0x0000000000695000-memory.dmp

Filesize
596KB

Download