urelas | 09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe
Size

359KB
MD5

33fc3fe46e05744b924537a2a89d79bf
SHA1

a055e22eaa0406127b9735913a651e30ebf2ca04
SHA256

09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5
SHA512

8cc573b41302815787276d2280f1216ef77da831df417af72b161e36d78aaf9e4e9b81e22fc07863bef27c26c7830cba26a14dc168c1b066b2b22a3d030ddd3b
SSDEEP

6144:Z/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZKBPvu:l0G5obGGraOpUWlpB5u

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	qufey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	hubufi.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	qufey.exe
1920	hubufi.exe
2328	hiqob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe
2328	hiqob.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2600	4308	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	88
PID 4308 wrote to memory of 2600	4308	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	88
PID 4308 wrote to memory of 2600	4308	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	88
PID 4308 wrote to memory of 1748	4308	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	89
PID 4308 wrote to memory of 1748	4308	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	89
PID 4308 wrote to memory of 1748	4308	09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe	89
PID 2600 wrote to memory of 1920	2600	qufey.exe	92
PID 2600 wrote to memory of 1920	2600	qufey.exe	92
PID 2600 wrote to memory of 1920	2600	qufey.exe	92
PID 1920 wrote to memory of 2328	1920	hubufi.exe	111
PID 1920 wrote to memory of 2328	1920	hubufi.exe	111
PID 1920 wrote to memory of 2328	1920	hubufi.exe	111
PID 1920 wrote to memory of 4900	1920	hubufi.exe	112
PID 1920 wrote to memory of 4900	1920	hubufi.exe	112
PID 1920 wrote to memory of 4900	1920	hubufi.exe	112

C:\Users\Admin\AppData\Local\Temp\09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe
"C:\Users\Admin\AppData\Local\Temp\09fb1c0d6ffaf81bfe280c2fb4fdedac36b5c8738250f71dd5b224c90942fbe5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\qufey.exe
  "C:\Users\Admin\AppData\Local\Temp\qufey.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\hubufi.exe
    "C:\Users\Admin\AppData\Local\Temp\hubufi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\hiqob.exe
      "C:\Users\Admin\AppData\Local\Temp\hiqob.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
373d494ab21398b04cdb6a49589eca71

SHA1
f68b9d90824b3f917285728986a81261df435a68

SHA256
431cd02b1515c3f6be5ac1b9b6692e71d76962b365723053d7a36e609a052124

SHA512
7116b54fca1a8eded8f388a7eae8a8654f5a2f35f56a1034dd40737ba0ef569e9db231d7a75e24f5217c509f54febbfceb83a4751c376dbbf96e463daf603188

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
51120901b48c61ed5f7ba8db952446f9

SHA1
b3429b4dab8be1843ce0d8701a00e3a61c02cd04

SHA256
c3448c8c9c417492cb2733e870562e131a8f0e7c95646ad8c89877c5201c615f

SHA512
1391303e360a6561d3083793978e302efa0da4f6921a10fa2a8a950e165e9d1e6ae071e89bbf64b4ace52e936089d79837e31fd6fb4dca0c9b6bdc4fcefab1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eba9234887b36bdb7074790806432432

SHA1
e8f5adeaf6b7d223322eb0dddf92c5a83c55417f

SHA256
ac4ba91ac99bcb8d32dd9b4df2dd85f1ae73e96f45c3bcbc9db37cff0d03d991

SHA512
76537a13fd34bf72b99cdb13f707dff70c2b2dddbea3853c5b97402e8ada8115429af03863092a12840feb8db5b3342ea3bcdd48770175cc3118ea731071f3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiqob.exe

Filesize
115KB

MD5
6d2566275d78c8b8eb0cd8977559eff6

SHA1
e7584851458264c8ef38685d5e842534bb0ceaf7

SHA256
af3eabee77e469b1ab75133cb9705cb7307a74fddf7f51ab1e58027694d2fc33

SHA512
aec6f4d1e67efcac4e48344454a49c7ae503154d3d9501bd49608c0d1c8a41b4ecfedd436d446c755767f0993cbc7f57f3e55de7a298911f5f56d9c0735dd7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qufey.exe

Filesize
359KB

MD5
d6d7abfd418c5534d48e0a9487690c04

SHA1
b50c2c878fe0cda91b3a513c56b30a9b2999e3a2

SHA256
5f070f5544eb4bd4bd022ba3d1f7b7b3bc8ad6fd9bab0a10f3852039b50c15ae

SHA512
445e12f75462fc4011506ee5aeb90f017bb22151ed1c7027619148662254a70cf1fd70979144ce995d1f12032a8f4eab1099c53eb13f771de64850e1c8e0e3c7

Download Submit
memory/1920-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1920-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2328-37-0x0000000000560000-0x00000000005E2000-memory.dmp

Filesize
520KB

Download
memory/2328-38-0x0000000000560000-0x00000000005E2000-memory.dmp

Filesize
520KB

Download
memory/2328-43-0x0000000000560000-0x00000000005E2000-memory.dmp

Filesize
520KB

Download
memory/2328-44-0x0000000000560000-0x00000000005E2000-memory.dmp

Filesize
520KB

Download
memory/2328-45-0x0000000000560000-0x00000000005E2000-memory.dmp

Filesize
520KB

Download
memory/2328-46-0x0000000000560000-0x00000000005E2000-memory.dmp

Filesize
520KB

Download
memory/2328-47-0x0000000000560000-0x00000000005E2000-memory.dmp

Filesize
520KB

Download
memory/2600-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2600-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4308-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4308-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download