urelas | 5ea3536e4cfe1f2771d0cadab8590be9c243f55c2be0191a6f0b96000ce36a9b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3884a328a033cf349a6a0c2a0a1edc4e.exe
Size

551KB
MD5

3884a328a033cf349a6a0c2a0a1edc4e
SHA1

814c24593cc5324c87544a686e45cc8dffedcc76
SHA256

5ea3536e4cfe1f2771d0cadab8590be9c243f55c2be0191a6f0b96000ce36a9b
SHA512

8cf60e637c715f1e0084bdecadcdc3679606d9fb96c9ffe0455bec640b241cc583241691abf30b9169f3d15954988cb6f3e0327b4ab53e87a4a131e68bfa6115
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlL:+rt4/NArwjs5olL

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	3884a328a033cf349a6a0c2a0a1edc4e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	pyqyp.exe

Executes dropped EXE 2 IoCs

pid	Process
1152	pyqyp.exe
4388	ipkot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3436	4388	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1152	1212	3884a328a033cf349a6a0c2a0a1edc4e.exe	70
PID 1212 wrote to memory of 1152	1212	3884a328a033cf349a6a0c2a0a1edc4e.exe	70
PID 1212 wrote to memory of 1152	1212	3884a328a033cf349a6a0c2a0a1edc4e.exe	70
PID 1212 wrote to memory of 4800	1212	3884a328a033cf349a6a0c2a0a1edc4e.exe	69
PID 1212 wrote to memory of 4800	1212	3884a328a033cf349a6a0c2a0a1edc4e.exe	69
PID 1212 wrote to memory of 4800	1212	3884a328a033cf349a6a0c2a0a1edc4e.exe	69
PID 1152 wrote to memory of 4388	1152	pyqyp.exe	110
PID 1152 wrote to memory of 4388	1152	pyqyp.exe	110
PID 1152 wrote to memory of 4388	1152	pyqyp.exe	110

C:\Users\Admin\AppData\Local\Temp\3884a328a033cf349a6a0c2a0a1edc4e.exe
"C:\Users\Admin\AppData\Local\Temp\3884a328a033cf349a6a0c2a0a1edc4e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\pyqyp.exe
  "C:\Users\Admin\AppData\Local\Temp\pyqyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\ipkot.exe
    "C:\Users\Admin\AppData\Local\Temp\ipkot.exe"
    3⤵
    - Executes dropped EXE
    PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4388 -ip 4388
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 216
1⤵
- Program crash
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ipkot.exe

Filesize
64KB

MD5
dc002bfe5ac0296b75bbe925c875bd0f

SHA1
3925aea2559d0271bc8b8aed52203908a1d2a668

SHA256
00752d0fa01302188039bf39a03848b9ecd0f740d3d2b370a22e9545144cee6a

SHA512
8679b35bc40391b1760754dd2ad679e617a96aa1db1ad5babd27427f00a980d3671724220d4ce5d74440ae83625ecf7ee42c37b992be1efd7d3d8ef565b14594

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipkot.exe

Filesize
231KB

MD5
fb06333b1cecda506f0ff08f18625745

SHA1
c2caef76b763135b847cb96e94204b1433d88ab8

SHA256
1801ec2eb4551a663aa46dae776503ead559920a146e6e95fb910c0491f7f63d

SHA512
749698102c75d86bdbf039f7a806ba8db8052fc69f3edee83f7df971b1d57cbca559791580933b1d6dca976c31452e3b87b59c2f41714d6ed40c2b5fe8a8fd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyqyp.exe

Filesize
92KB

MD5
72df9a9e25a96cedc30a756f1b7ea6c4

SHA1
0120735974ed8562c2e2324763882850f8edf70b

SHA256
946e3195de9e10408adc5c8071db081f794ff265cf5fabf1776142f355b52f95

SHA512
7853f332c421833d47c6216adcdf1b279a5ae4e63804ff57f99c90e15e1229c323787e55e1e734ed6bf8ee99b829cffbbeefeefe800c7b22f895466bb3955342

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyqyp.exe

Filesize
96KB

MD5
528f2c8e77008e647a60559f27e5c57b

SHA1
cd0d974350a783ca3d7ca98baa89220e0a0557e2

SHA256
12bac3fbc30e61b741ef6474d92b69c6e8ae4babe297c8704eedf2aa5f4467c9

SHA512
3c4a599dc556d8a2653b35e05922515ee7275c66a92b6c03a478399a2e57148b73d5379b0e93abf05a4ae94b6de4ebd2dcb72169ef950c8b4a24a8150bec65c6

Download Submit
memory/1152-10-0x0000000000B70000-0x0000000000BFF000-memory.dmp

Filesize
572KB

Download
memory/1152-25-0x0000000000B70000-0x0000000000BFF000-memory.dmp

Filesize
572KB

Download
memory/1212-0-0x0000000000160000-0x00000000001EF000-memory.dmp

Filesize
572KB

Download
memory/1212-14-0x0000000000160000-0x00000000001EF000-memory.dmp

Filesize
572KB

Download
memory/4388-26-0x0000000000410000-0x00000000004C3000-memory.dmp

Filesize
716KB

Download