urelas | 282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 18:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe
Size

454KB
MD5

3fb05306a8577ff4391504eb1dd33253
SHA1

13a8f86773d82fd7615c1ebe855fc49df2d2ca6f
SHA256

282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2
SHA512

91448b255023a0ce1d3c8c12528ecba373f06ff618ec93901d51939b0085bd1ab3f44f8937c485241cfc0f0f4d7070cab163bf5048179ac7ea27cff2f903083d
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoh:PMpASIcWYx2U6hAJQn1

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	dowyi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	cofugu.exe

Executes dropped EXE 3 IoCs

pid	Process
3964	dowyi.exe
1460	cofugu.exe
2996	louvz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe
2996	louvz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4380	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 3964	4668	282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe	89
PID 4668 wrote to memory of 3964	4668	282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe	89
PID 4668 wrote to memory of 3964	4668	282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe	89
PID 4668 wrote to memory of 2084	4668	282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe	91
PID 4668 wrote to memory of 2084	4668	282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe	91
PID 4668 wrote to memory of 2084	4668	282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe	91
PID 3964 wrote to memory of 1460	3964	dowyi.exe	93
PID 3964 wrote to memory of 1460	3964	dowyi.exe	93
PID 3964 wrote to memory of 1460	3964	dowyi.exe	93
PID 1460 wrote to memory of 2996	1460	cofugu.exe	112
PID 1460 wrote to memory of 2996	1460	cofugu.exe	112
PID 1460 wrote to memory of 2996	1460	cofugu.exe	112
PID 1460 wrote to memory of 4860	1460	cofugu.exe	113
PID 1460 wrote to memory of 4860	1460	cofugu.exe	113
PID 1460 wrote to memory of 4860	1460	cofugu.exe	113

C:\Users\Admin\AppData\Local\Temp\282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe
"C:\Users\Admin\AppData\Local\Temp\282ee27e064eda6d0a7a24d3ed57aaf1e356a8f1de6f3de402531b61133fc2d2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\dowyi.exe
  "C:\Users\Admin\AppData\Local\Temp\dowyi.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\cofugu.exe
    "C:\Users\Admin\AppData\Local\Temp\cofugu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\louvz.exe
      "C:\Users\Admin\AppData\Local\Temp\louvz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2084

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8df100b9cc5b2145ee584e64f1efda04

SHA1
7e6c98a254df050501b8fd7009935485fad69728

SHA256
00e7f197083afcabe748980df3d55f3320c75fefde9af26989b979af8e9d33d6

SHA512
15673cb5c8ee3643985430d5acce7b8ef0d0019d5b7eb8a674877affc36c3003f012c9583ad9e36320c201866b74ecd52ece79b0f3f4acee3f215e60c5c05f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
266041bd7422c235f3585796dac06188

SHA1
e4f76cc52b0baf9910bc23e4363d18a8582d7051

SHA256
f833bc17fc77976145f8a9b6b4cb35a379b42867a4042a5d3c3b2a70db5b2723

SHA512
72984e9f181f5ff4cab375ca58a57f5b01d20d1747f74f9f5cb4039e33da3651989ada8bda4568864d9a159eb49b30c308c355d98e4d84f0f9ffdb6f3a5d8acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cofugu.exe

Filesize
454KB

MD5
f4cad726a2cb4aa80b6654c290e3e652

SHA1
78fbcbed90efb9c61f2f4c13f4830a03f31b543c

SHA256
4fb3c44c8e36e663417043e3b0e2c592d65e02729df948e7681fea403e1079d8

SHA512
744b37511c3276b84157bcb28ac9e78e8a8d24c5af3ccd05c21f18099a3bc4a26fb988a73ba08a1fb3d2935bbcd61c50a7ec9e87e37f45592d69fd1fd314088f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dowyi.exe

Filesize
454KB

MD5
3cb38ac59dec2c5e03b9bf4ee4928386

SHA1
ebb1630e1e6a0adf6d6c207a4b2fe96a8bb7727f

SHA256
4e121d277f79f827f17aced4830f0f87a2a2580ff0c9abb8ea8d1511bb4cc2cc

SHA512
656185b366f01103a5124997a42f0eef9710e34de9124411e48c9316829ce6a4066134a3ba512b2481e11dcaa440869ac3ec7649be77a848ee8fe8f69f26354c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a51b26366144647806656404c862f278

SHA1
d4f46c81ac769565527eacef9d5a94269c3420a2

SHA256
2e9c8c56ffc3b1d64d77125a642a8f0e3a812e6f6b821e962f9fb071150bb5ee

SHA512
022c32e617bd0b7b48817bb3aae1003cc3a83bf52348c1e763c1d23c9f832c7a55c7642e25f152f248e7ac2204dab51a12b414c33c6e115d7ee7f211f7644814

Download Submit
C:\Users\Admin\AppData\Local\Temp\louvz.exe

Filesize
223KB

MD5
1f94d0817238cc60fc55011020659a2c

SHA1
de9408fb240c0dfab5fac72354dc21a60c7080ce

SHA256
6d11e3e65f53e5cd592e48943a9e989dc73871559c965c8fe6c0bf9795eaac61

SHA512
6f197645a91848fba9c10cbde36836ee60b791a6f708838827abbfd5093038cb58f01f100282d3c33dc3706e8b43de820cce15a2e6bb861a8302a1990f2a0fcd

Download Submit
memory/1460-78-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1460-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2996-76-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2996-84-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/2996-83-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/2996-82-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/2996-81-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/2996-80-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/2996-74-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/3964-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3964-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4380-59-0x000001ED4E200000-0x000001ED4E201000-memory.dmp

Filesize
4KB

Download
memory/4380-63-0x000001ED4E340000-0x000001ED4E341000-memory.dmp

Filesize
4KB

Download
memory/4380-61-0x000001ED4E230000-0x000001ED4E231000-memory.dmp

Filesize
4KB

Download
memory/4380-62-0x000001ED4E230000-0x000001ED4E231000-memory.dmp

Filesize
4KB

Download
memory/4380-43-0x000001ED45E90000-0x000001ED45EA0000-memory.dmp

Filesize
64KB

Download
memory/4380-27-0x000001ED45D90000-0x000001ED45DA0000-memory.dmp

Filesize
64KB

Download
memory/4668-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4668-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download