urelas | 41650b2d2e134e521c54fa3523fc261783954a8a75123e1f899ff9b39ec1a4e2

Analysis

max time kernel
157s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131cb9e0d30d9ea4b5cb85ba049d7787.exe
Size

536KB
MD5

131cb9e0d30d9ea4b5cb85ba049d7787
SHA1

0951478224d75a98cd98511e6f1b911f20f66e42
SHA256

41650b2d2e134e521c54fa3523fc261783954a8a75123e1f899ff9b39ec1a4e2
SHA512

6208e1abc202b2f830b7167ea58a588fa5a7b541578968a9e33fd6a5589b73872909be3c219ed6ba543300849247ab748a27d807a4318c994ec3a1c4f5ed2485
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP7:q0P/k4lb2wKat7

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	131cb9e0d30d9ea4b5cb85ba049d7787.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	ovmyx.exe

Executes dropped EXE 2 IoCs

pid	Process
1392	ovmyx.exe
4800	qavet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe
4800	qavet.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 1392	3332	131cb9e0d30d9ea4b5cb85ba049d7787.exe	90
PID 3332 wrote to memory of 1392	3332	131cb9e0d30d9ea4b5cb85ba049d7787.exe	90
PID 3332 wrote to memory of 1392	3332	131cb9e0d30d9ea4b5cb85ba049d7787.exe	90
PID 3332 wrote to memory of 4348	3332	131cb9e0d30d9ea4b5cb85ba049d7787.exe	91
PID 3332 wrote to memory of 4348	3332	131cb9e0d30d9ea4b5cb85ba049d7787.exe	91
PID 3332 wrote to memory of 4348	3332	131cb9e0d30d9ea4b5cb85ba049d7787.exe	91
PID 1392 wrote to memory of 4800	1392	ovmyx.exe	107
PID 1392 wrote to memory of 4800	1392	ovmyx.exe	107
PID 1392 wrote to memory of 4800	1392	ovmyx.exe	107

C:\Users\Admin\AppData\Local\Temp\131cb9e0d30d9ea4b5cb85ba049d7787.exe
"C:\Users\Admin\AppData\Local\Temp\131cb9e0d30d9ea4b5cb85ba049d7787.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\ovmyx.exe
  "C:\Users\Admin\AppData\Local\Temp\ovmyx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\qavet.exe
    "C:\Users\Admin\AppData\Local\Temp\qavet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
fc187b2d88117eadb60d48d861991060

SHA1
8f7befe6dac9c93b45e8c4e8dfbccbb5eb55c3e1

SHA256
2b9413df318996bd0cc662b0c0e5a336f9cfd5b5e06137a4f7a1e030cff9ed37

SHA512
f1323234546ef6cb473a194c9df69775cdda2348777f8b8357b485802bfe683cff7b70f12de524adb6e8ad39886ab06589ed48d408a62c1bf76898dd1bbe6015

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e219a0e3d6f8281254aa9846e3d0322

SHA1
e67ca7a5bb4efd1df996470094d41f186c2e1d37

SHA256
53a8c572ad27fa04275007045454249a4916f28a74f4a4484a148abb86848c1d

SHA512
9113a30aaf35ba4143405f748f04276815c1278cdb1be2da1c97f5fa2152da5b0439c26164df22ab387aab1a2ae12e0da8f46856a1e8f1ca3790c8389639493c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovmyx.exe

Filesize
536KB

MD5
7be20b470202fe5619428b966380531c

SHA1
e790d856360416e9327461814a97fef70dea09c5

SHA256
92afe043b57e21bc6f5d1651d13fc2745e6475bcb77d7c39697656e6194a68ce

SHA512
6526a2ca9901b74dd30467bc26f3f00b6fe0139696a797e9068eaba32409c3258603f87bb3ab438c4b75c72532f87384f2b77c3a2e575fc9c194a2f223df043f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qavet.exe

Filesize
56KB

MD5
079541e3d059b929de4fe748e86a09aa

SHA1
37259d5bda9ab5becafef4df9d6f438b0fb6cca0

SHA256
61029371f035eab7aa82b7420006a3f5f54acd5e66d26e5042dcdf9cd605fa1a

SHA512
5d79e2d7f4c40828f0be08162132ef46dc44196ede08701195610ee1d0c56cce310b57a41a7f90214ba9eb252a2caf91668678ab1c64085cbdc1471abb6b7446

Download Submit
C:\Users\Admin\AppData\Local\Temp\qavet.exe

Filesize
64KB

MD5
7e6dc530fa9f5eaec076784526668124

SHA1
31350d929ac508784386630be1d5d51749781b01

SHA256
b2b35c893b2707c576c1bc73f192704a5aac43672457018563a2ae3da61611c3

SHA512
cf009910543e4ac011da3538564cadc86f74ccd78945e32c4244f11adbbf4d3cc0dc2a9d775e0933391b823bf4bcb2a15b41b01f4e9372ffb49baec3af9a88b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qavet.exe

Filesize
9KB

MD5
e099f605f0506d8be41da65bf9b8b8b5

SHA1
2cbf39f8763862be9976c8aeb9607f1d033292e7

SHA256
4ca0558ab7fbecfa601a031d3c9b58ddee879792c052db411901c1d63105f9c9

SHA512
734692d2944bb908b1e644f29f403dd05f39cf72d7ef401cedf25d5b636282a082c29e88e085adb9ff1e020ba3678ff03df142321f29d9d755aebc0bd64796dd

Download Submit
memory/1392-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1392-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3332-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3332-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4800-27-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4800-25-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/4800-29-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/4800-30-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/4800-31-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/4800-32-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download
memory/4800-33-0x0000000000E60000-0x0000000000F03000-memory.dmp

Filesize
652KB

Download