urelas | c9a7fbc74f14fd0561ba21366dbf3f0b053bc65bc078622c61b2881cadbc47e9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299aba363caef390fbc4bd35f09718dd.exe
Size

401KB
MD5

299aba363caef390fbc4bd35f09718dd
SHA1

86cc9f5714875325e3f582176cf50e1d2b6887ba
SHA256

c9a7fbc74f14fd0561ba21366dbf3f0b053bc65bc078622c61b2881cadbc47e9
SHA512

7071f458001f56b80bdfcd4ff5ed3a036d48f7ce26f5b5cc9aecb8b45fb1b3d112c94e345682e8f250a8d97529bae56e3227b5786f57a065e26ff1cae9d60272
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohJh:8IfBoDWoyFblU6hAJQnOTh

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	299aba363caef390fbc4bd35f09718dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	qygog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	azkipe.exe

Executes dropped EXE 3 IoCs

pid	Process
5056	qygog.exe
4704	azkipe.exe
448	gudel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe
448	gudel.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 5056	2832	299aba363caef390fbc4bd35f09718dd.exe	23
PID 2832 wrote to memory of 5056	2832	299aba363caef390fbc4bd35f09718dd.exe	23
PID 2832 wrote to memory of 5056	2832	299aba363caef390fbc4bd35f09718dd.exe	23
PID 2832 wrote to memory of 2904	2832	299aba363caef390fbc4bd35f09718dd.exe	22
PID 2832 wrote to memory of 2904	2832	299aba363caef390fbc4bd35f09718dd.exe	22
PID 2832 wrote to memory of 2904	2832	299aba363caef390fbc4bd35f09718dd.exe	22
PID 5056 wrote to memory of 4704	5056	qygog.exe	20
PID 5056 wrote to memory of 4704	5056	qygog.exe	20
PID 5056 wrote to memory of 4704	5056	qygog.exe	20
PID 4704 wrote to memory of 448	4704	azkipe.exe	109
PID 4704 wrote to memory of 448	4704	azkipe.exe	109
PID 4704 wrote to memory of 448	4704	azkipe.exe	109
PID 4704 wrote to memory of 3216	4704	azkipe.exe	110
PID 4704 wrote to memory of 3216	4704	azkipe.exe	110
PID 4704 wrote to memory of 3216	4704	azkipe.exe	110

C:\Users\Admin\AppData\Local\Temp\299aba363caef390fbc4bd35f09718dd.exe
"C:\Users\Admin\AppData\Local\Temp\299aba363caef390fbc4bd35f09718dd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\qygog.exe
  "C:\Users\Admin\AppData\Local\Temp\qygog.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5056

C:\Users\Admin\AppData\Local\Temp\azkipe.exe
"C:\Users\Admin\AppData\Local\Temp\azkipe.exe" OK
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\gudel.exe
  "C:\Users\Admin\AppData\Local\Temp\gudel.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d4bda91d7153383846c0ad401a52a964

SHA1
af57114f37fa594099d4c15e5e30670dd997f89b

SHA256
a6449fcb2471396df2569c4ec403edbc5ee2e8bce8f2f6c4bed1e5b17dcb9bd4

SHA512
bba5d8c780f6c617d1ce6db6781b94e91ec1c0348ddf2765467ecf4dc18e2809fa8a137390349f763d98b466a773f540bcc5665aa624174b794ff1cce454860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4cd8b0b142060b6e8faaead5a4d32040

SHA1
b38d13636fc3721a0596750c1a728bd7d354baea

SHA256
b18fe1d39aef3b58f36b5e83df76cd83ef1890cc47b4d67920e569cc8f754f6d

SHA512
29a25ec119ee47fb363e6d64b281d2737b4e7cd0fd91b76ea9f297f849f70aa7f0479af931b5d7469072b3de4b5c513125ce96f281118aac269e96728ecbab1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gudel.exe

Filesize
223KB

MD5
a75bb8253fb375c16f94f46c83339b5d

SHA1
f229803e015b8d7ed57fc385af941feaf3bed16e

SHA256
35f56068f0f59840c0f2a05f92fe6dc3a54c9393c46821aa981270bc8c217122

SHA512
40711ce88e12a3c3c7b659f789de803ff40e3a3a6f0267ffe03a421988383e92738ef4d9bf8ce8f6adf96c10db517b32e717f044e59fa07ef5b0111ca41044d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qygog.exe

Filesize
93KB

MD5
c30cc8a2eb2eb9e353296f861c000581

SHA1
c4b20af4fb17cf6bc10317d5903c1fd230a468e7

SHA256
20e662714979275562e0395c7318463fbada353668e62e00ba36b5624c3946c0

SHA512
07c472b500eba6f39c76649387a20e51b1f73d152beb2ff871f47d1ccb0755792082c08d7b59621db43dfbc79c466329c059cb60fdb70e35371290d7d43b1beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qygog.exe

Filesize
65KB

MD5
497679489155d20f782eed7a439105b6

SHA1
48bc6529cbfe18da3c821fc6e4f1de0779ffd724

SHA256
ec2c471096eb830025a27f419b523af3e8dab1c08bd5e4f2e351306a13db4aed

SHA512
4cd6af42d9e288dd8d14be41c09ae520cfb331df87c7a05d2a7bb18084329d430316181b03f5a75b8eef760d95edc6f652f14b13da09a86b39b645f27cddaae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qygog.exe

Filesize
150KB

MD5
e25074e8a50f5f070ca6c9f2674b058c

SHA1
db4f2aeb184809bb4457600c3792f1468d0ebc2d

SHA256
32894a84747a487dcc5003f5c07d0c41e15deeb156febfabe26c01ff86bfc49a

SHA512
e3459eb5f30b28a41da33691a014bed7db8161f81a3617315a1722b4474d80f6b4346b50f9c920a3d27c1f4b83c3d1782c878348f4367bbdb940449708b2771b

Download Submit
memory/448-47-0x0000000000590000-0x0000000000630000-memory.dmp

Filesize
640KB

Download
memory/448-46-0x0000000000590000-0x0000000000630000-memory.dmp

Filesize
640KB

Download
memory/448-44-0x0000000000590000-0x0000000000630000-memory.dmp

Filesize
640KB

Download
memory/448-38-0x0000000000590000-0x0000000000630000-memory.dmp

Filesize
640KB

Download
memory/448-39-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/448-45-0x0000000000590000-0x0000000000630000-memory.dmp

Filesize
640KB

Download
memory/448-43-0x0000000000590000-0x0000000000630000-memory.dmp

Filesize
640KB

Download
memory/2832-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2832-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4704-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4704-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5056-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5056-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download