urelas | 665c0f4b784ab387fba7f945059dad5b8462b0ccffa96f2110ea673dabdd2044

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72aece57191774ee8faa706df2fb668f.exe
Size

401KB
MD5

72aece57191774ee8faa706df2fb668f
SHA1

0a397db178732b4d0e3e1ca8567ab8f08de89b93
SHA256

665c0f4b784ab387fba7f945059dad5b8462b0ccffa96f2110ea673dabdd2044
SHA512

6c547649fb3058cfbea61cd05df8f9ad222abb1213687f9f2d5ac7dad10f05c0c7b6bf2f4edd50b181b2cfe17c663a99e3fcc5d215e7e803334d9592d1af8bfa
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohW:8IfBoDWoyFblU6hAJQnO0

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	aqmoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	tifiiz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	72aece57191774ee8faa706df2fb668f.exe

Executes dropped EXE 3 IoCs

pid	Process
3104	aqmoc.exe
4016	tifiiz.exe
2296	suvoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe
2296	suvoj.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 3104	4520	72aece57191774ee8faa706df2fb668f.exe	88
PID 4520 wrote to memory of 3104	4520	72aece57191774ee8faa706df2fb668f.exe	88
PID 4520 wrote to memory of 3104	4520	72aece57191774ee8faa706df2fb668f.exe	88
PID 4520 wrote to memory of 2112	4520	72aece57191774ee8faa706df2fb668f.exe	89
PID 4520 wrote to memory of 2112	4520	72aece57191774ee8faa706df2fb668f.exe	89
PID 4520 wrote to memory of 2112	4520	72aece57191774ee8faa706df2fb668f.exe	89
PID 3104 wrote to memory of 4016	3104	aqmoc.exe	91
PID 3104 wrote to memory of 4016	3104	aqmoc.exe	91
PID 3104 wrote to memory of 4016	3104	aqmoc.exe	91
PID 4016 wrote to memory of 2296	4016	tifiiz.exe	100
PID 4016 wrote to memory of 2296	4016	tifiiz.exe	100
PID 4016 wrote to memory of 2296	4016	tifiiz.exe	100
PID 4016 wrote to memory of 548	4016	tifiiz.exe	101
PID 4016 wrote to memory of 548	4016	tifiiz.exe	101
PID 4016 wrote to memory of 548	4016	tifiiz.exe	101

C:\Users\Admin\AppData\Local\Temp\72aece57191774ee8faa706df2fb668f.exe
"C:\Users\Admin\AppData\Local\Temp\72aece57191774ee8faa706df2fb668f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\aqmoc.exe
  "C:\Users\Admin\AppData\Local\Temp\aqmoc.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\tifiiz.exe
    "C:\Users\Admin\AppData\Local\Temp\tifiiz.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\suvoj.exe
      "C:\Users\Admin\AppData\Local\Temp\suvoj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c4e4e58d5f5c90304745243e46437cac

SHA1
96fc8b086aeae83faae2b968f6312e12e49bf3b3

SHA256
31c99508b93cdeefd52a537dd264d33eccc990ec2ea0ea3e5e027da41c09a109

SHA512
39daa8bdc5318b2a50dba3ae95df56e7366eaa05f1d68073f261370d39cb1c1096e6881b87e1dacf5cdcb65a85d4c97acc030be30eda4281c078393e12b38237

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
5c66acc43ae456f356e617467702c56c

SHA1
dcd24c79cb78e0dd2f31c6ccc2b1f9ac07f8b270

SHA256
aba1fc6cdc0fd31e39bb693c40604a46683e6c2c41457b9f7f476e7a7d376abc

SHA512
64284e7b2b9e7c96cce097d208ef4461a943945a75b0869e4c3158b1c8bfeecb7a1364e3b3599edef77fb04bbec690d0efafa7f064ce846d64c0116172557ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqmoc.exe

Filesize
401KB

MD5
e958995ce2939e1ae5976d44acadb7e3

SHA1
bf5f578721cb17546aa1829d1181f385186e1722

SHA256
455091c0704a94d11aa46acd6f4e0d47c65be4b798a8fa6c65e33b550200cef4

SHA512
24c87aac42ff833ef177e7f87e3e5796c6123bd1ebe48389e1275d7611129e266e2882d1741e0a0850ac0aae9a3bcc22c1d869146671ded691c1958e2463d0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqmoc.exe

Filesize
393KB

MD5
b4f5ea77b6cab9c95581e53a4524e358

SHA1
bb177f3a86c65859d75a0a89f5c0e044909ce7f9

SHA256
d8a68662bc949f2a5d8dc678fb3d01f4ee7be02392e1748f86fe44a2f0153dc5

SHA512
667dcf3cdcc9a95f8ec073b77a604e6d4c73409264fa8e98894e40f6fcaf80d01540a5b3bdfdc096c53e444596f000fd1c58687278dc14e4719bcd0b2d5d92a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1be2393acab076664557df67fb185bfc

SHA1
285c3ff592b66dca3a468e339d0cd0842140765f

SHA256
64add18c2e05b0d4ebe5d0af0098bd1859fa3eeb8ae7c5c71fcc9261741b1f12

SHA512
da2b7d001b751c2563029710303f53a61b6e763d443322abc915129628c52b5dff1e93d685cc8338ae84ccb8ff043dc673faae13d9818638783a86d4785997e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\suvoj.exe

Filesize
223KB

MD5
aeb14970c17cb1eb85889b92cb9fd402

SHA1
13d2d92ca393e388c692d4517457bce310789573

SHA256
eef5175d3e3738201fa885d1d5f165eedab138f02dc8fcd25fa5b4e1695d594c

SHA512
2928ab4df30a2fd19878c634184ba616af28fb0b6ab837e2728e4af547e2110cd1db5266f73992da3d43f1cfa67bf7c4fe9df21481e33b309dc15b295292f4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifiiz.exe

Filesize
401KB

MD5
75de1edc4c9ade2f088457481b386775

SHA1
3c193475ea24d8bb9aba206e576d7ef849c6e3f4

SHA256
a83288e301c3c1be90df365762efd7237f324c20cf5b72b30b275b120e5e4950

SHA512
0aa5ddcd7eac6b2d16dee1a510a4a33d44f9722b302f57cc5e6cba862aecc6a2c16e29d376e92d9df73fc6f863377b8d497b2df3fbd330e8c70decc22e59832f

Download Submit
memory/2296-43-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/2296-37-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/2296-39-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2296-44-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/2296-45-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/2296-46-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/2296-47-0x0000000000070000-0x0000000000110000-memory.dmp

Filesize
640KB

Download
memory/3104-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3104-12-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4016-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4016-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4520-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4520-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download