urelas | 813dce12e5bfb771b7fe2a56983fa1f2ef42082c62f591707b858e1435354d6a

Analysis

max time kernel
152s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b3aaedd33513845a30981044333b68e.exe
Size

446KB
MD5

5b3aaedd33513845a30981044333b68e
SHA1

6e2cd98df9ce8156ceec25acbe9226c765659774
SHA256

813dce12e5bfb771b7fe2a56983fa1f2ef42082c62f591707b858e1435354d6a
SHA512

417344cd389a6b1b3e1372a1952be59e9ec9b5969a95415f9fd53f1bd885b57860b5af298075ed3b7346964919cf1b0944c9670284daf84de8dad30be394fdb0
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpY:PMpASIcWYx2U6hAJQnb

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	vywivo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	5b3aaedd33513845a30981044333b68e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	woqew.exe

Executes dropped EXE 3 IoCs

pid	Process
3084	woqew.exe
5000	vywivo.exe
3808	kabub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe
3808	kabub.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3084	4792	5b3aaedd33513845a30981044333b68e.exe	92
PID 4792 wrote to memory of 3084	4792	5b3aaedd33513845a30981044333b68e.exe	92
PID 4792 wrote to memory of 3084	4792	5b3aaedd33513845a30981044333b68e.exe	92
PID 4792 wrote to memory of 1636	4792	5b3aaedd33513845a30981044333b68e.exe	93
PID 4792 wrote to memory of 1636	4792	5b3aaedd33513845a30981044333b68e.exe	93
PID 4792 wrote to memory of 1636	4792	5b3aaedd33513845a30981044333b68e.exe	93
PID 3084 wrote to memory of 5000	3084	woqew.exe	95
PID 3084 wrote to memory of 5000	3084	woqew.exe	95
PID 3084 wrote to memory of 5000	3084	woqew.exe	95
PID 5000 wrote to memory of 3808	5000	vywivo.exe	114
PID 5000 wrote to memory of 3808	5000	vywivo.exe	114
PID 5000 wrote to memory of 3808	5000	vywivo.exe	114
PID 5000 wrote to memory of 2136	5000	vywivo.exe	115
PID 5000 wrote to memory of 2136	5000	vywivo.exe	115
PID 5000 wrote to memory of 2136	5000	vywivo.exe	115

C:\Users\Admin\AppData\Local\Temp\5b3aaedd33513845a30981044333b68e.exe
"C:\Users\Admin\AppData\Local\Temp\5b3aaedd33513845a30981044333b68e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\woqew.exe
  "C:\Users\Admin\AppData\Local\Temp\woqew.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\vywivo.exe
    "C:\Users\Admin\AppData\Local\Temp\vywivo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\kabub.exe
      "C:\Users\Admin\AppData\Local\Temp\kabub.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
4fd4b8cbce51a1dfa65c7e5961b66311

SHA1
de693804918c58d439442b96ff59fc75f852c88c

SHA256
490199c70779a2a28338c79ef9b3f77f560c724f432d6fcfb9d89f7c867fc93d

SHA512
44a24acfb8e3443e0d7c7ce85770f0129062170a5cb24e84ac90a6c14d63ace4156d76610c8cbf18444a08fdbf7ed17eb0a15740ea01f4715aa6915b4a8200ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3b4bc7a3b62673107795e742dd4168f3

SHA1
192cd8080b53d12238856afe7908d71e097f06e6

SHA256
f202915ad902b47392708b9932fd95128454c4303aa1e4d19e562ec3477ded1e

SHA512
51432d47aaa61cfea6dba80c18ed97366496585fadbb66132317cb8c8538cf6da3cd54923b17f3eedcf53db8ee2fef2679c4bddaaa29c1eec8359a53487eede5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fe5d0aeb9dedd4ffda8a23e650b1cb2c

SHA1
2d662c83db223027f4a9cd1972f1f9a8d867a5e5

SHA256
bbcdcbdf022023a1ad5146300ad2d40ebcfe90986392b585ba1a79b4f4e15255

SHA512
01d2d7f0528019de88a8d27fa15cb31e197fd2ef33ad033e0dec8807d416d4c5c1ca646c028efc0edfa939124955b7a93c4effb194ae4e115c91eeffb14e400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kabub.exe

Filesize
223KB

MD5
2e54f535535272d460cc4ff0979a4161

SHA1
e94606472204b913e337f0a91d139c81a4cc58cf

SHA256
50eb58b68a7069f955bb05636fe6284e4a8d07ac8855d5690523c35e5549c429

SHA512
1c7cb2f5a2882f25db2a1735f68bf6b0bed9284a21b931bef0e1fd9d6426eb8a87c7e2613084109d2b68dee987759d45791495b22f8658234c426d9dfc7e4952

Download Submit
C:\Users\Admin\AppData\Local\Temp\vywivo.exe

Filesize
149KB

MD5
1817dd69f6976a40a2772d4c8cf06f95

SHA1
ec967b7ad0f66c95e8b5b362a9f2edbdc4ab943c

SHA256
7e6eb5e70ff9ce9cc0996f0a9e86ecaf71811b5f0e7413c6ca82db14f2b6834f

SHA512
005d90494a2b84084ea46fef8cfd813f94b7e76c523cc44e91f4d2d94e1c9f3e08586d57719dec04d6b2df69240dfa876b5583e3da2358caf07fdc073bb920e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vywivo.exe

Filesize
147KB

MD5
40275fae72acba3c04a609fdb91f09e5

SHA1
583417cb777ade7178cd29058ab6e8c845260722

SHA256
e8551b4cffb04c4cb5a51d1891b0a1445bb77b55b90da17ebdc9d8fea8dc9aae

SHA512
2649c10d147a35c9ae203de8ba65e6949f07e62f0454e60274cd090c3a171e28dca3d37b9c10c8133c7788606c209703d9aa171bcd824aca502c3d865bbe807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\woqew.exe

Filesize
305KB

MD5
88fffa8989cf238784647bb349302314

SHA1
fabd9fb8642e4a393b565d6b2ded8e51a012e2ef

SHA256
57a565845dfff071f7386c00512379b5c9dae43d3cfd0ac5fc5f35d15378e614

SHA512
d2e1d2594ce1fddd833288c23b3ff80dec3c447447b706d67ccc9a12161c664988371713f01c4dabac1ee92463a4363ef905aa79e200ca9be8dac29674ad6b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\woqew.exe

Filesize
156KB

MD5
1d8aee5b4ff579da9bd1e7fbd7979a5d

SHA1
93573d5b084249c57ff72a7de2ff62f78a068a4e

SHA256
e71e0dbfcdd3dcb74e53187c5792621fdcce14378346895785fbf957432c8e4f

SHA512
8598e8c843d660f46ed0b31fed012a0730598b32f954ed890dba13829555987beb4ffbacae5c0f7f84e7a2be8212da6f7bb337e26c764277d96c2661a2a5bfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\woqew.exe

Filesize
195KB

MD5
c27f31586dbcdba71ebe2d8ca7681e7e

SHA1
5d9d6a75555bc46efbc16b7a8c15bd7c112bbb43

SHA256
93c15911c6e1fab28deb34e0e73f050a02a5fdaabfe1cf62557674d3ee0dbeb4

SHA512
dae95223ed98767b5a0511123d3653ff88fc98848a948a968e19dd39fcd2bc46ac88702e8bd40460c10d4925a1ec4359e7a1670cf7e0d7000f767ac02def9f52

Download Submit
memory/3084-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3084-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3808-37-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3808-45-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3808-39-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3808-46-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3808-43-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3808-44-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/4792-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4792-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5000-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5000-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download