urelas | d543f7a9aaf7cdfe845d94ba02ec24e243c8ad8941f73ba620ebcc6e70129272

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 15:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c62f2715f7d498a3f82a0d826664ff94.exe
Size

535KB
MD5

c62f2715f7d498a3f82a0d826664ff94
SHA1

40f6bb977f14e6f3600d781873a0bee5db8abd2c
SHA256

d543f7a9aaf7cdfe845d94ba02ec24e243c8ad8941f73ba620ebcc6e70129272
SHA512

2a1ba05dfa39ecdb37f05865147291a1bebc75228631b0e7b5695938831f39c05e54d1b38c83a673d040fe2ca6a3889ffd00f946542037dafb32a46de0cdcc58
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPE:q0P/k4lb2wKatE

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	fezuo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	c62f2715f7d498a3f82a0d826664ff94.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	fezuo.exe
4928	rihou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe
4928	rihou.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1408	4992	c62f2715f7d498a3f82a0d826664ff94.exe	91
PID 4992 wrote to memory of 1408	4992	c62f2715f7d498a3f82a0d826664ff94.exe	91
PID 4992 wrote to memory of 1408	4992	c62f2715f7d498a3f82a0d826664ff94.exe	91
PID 4992 wrote to memory of 4980	4992	c62f2715f7d498a3f82a0d826664ff94.exe	92
PID 4992 wrote to memory of 4980	4992	c62f2715f7d498a3f82a0d826664ff94.exe	92
PID 4992 wrote to memory of 4980	4992	c62f2715f7d498a3f82a0d826664ff94.exe	92
PID 1408 wrote to memory of 4928	1408	fezuo.exe	110
PID 1408 wrote to memory of 4928	1408	fezuo.exe	110
PID 1408 wrote to memory of 4928	1408	fezuo.exe	110

C:\Users\Admin\AppData\Local\Temp\c62f2715f7d498a3f82a0d826664ff94.exe
"C:\Users\Admin\AppData\Local\Temp\c62f2715f7d498a3f82a0d826664ff94.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\fezuo.exe
  "C:\Users\Admin\AppData\Local\Temp\fezuo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\rihou.exe
    "C:\Users\Admin\AppData\Local\Temp\rihou.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
71a3ed0881c056306692c585dc8fc614

SHA1
9240724c2904aa164010f800e959dfdea62d1fd6

SHA256
df54542c92346053eb44c4db28e008e9dd884a2a40e789d00b51c9269c1e4688

SHA512
a744766bf547ee341f156d3b06e936c0c3695bb04eabc1ba5195565396e6a19be125b96024993bcab503b73bbc3475c60629f8c59ceb479a27fedfdc8e81da84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fezuo.exe

Filesize
535KB

MD5
29ea724e011b3647bec1832ebc50f9d2

SHA1
fc0ac1a30bbee486c3801aca1eadbc9f4461150b

SHA256
89f8f96c3c4661a6776f04c5d44c689803adf5ed1cd4562143da312f4bed8c29

SHA512
2553130e15ce4b2f97e4eba3df938205cde3464aeab3d3ee87a33ff12a204a1298c0721980b6d2a36bd99723105a2e20d814fdcef904c277477b9adf3dc18b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f3a4f4eaa0dc9d5c1dcbf721055ba35b

SHA1
0ec41509e5ca662cd54fd9c2cc62d28877299eee

SHA256
777ccb60ae788c5ba990d9abb63074d786326b446aafc266c292907d75bf35ff

SHA512
86968b276fa0a7915fa8ced13e41632921b7c4eefa5621bd823642b40c3095f551c1b7629667533e2e22410f4d25b8c01491b82f8fc7099c45b6f623f6944f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rihou.exe

Filesize
236KB

MD5
c02281ba0b9b09a456fae9bb4034a797

SHA1
741a0b85416fd0eb255eef197d8938303c72a558

SHA256
a394408c25e90dae78f57e6060e25920762b8d36f7426f666e3daffd6c5ffef4

SHA512
ef190fba25d30151977c757588715ae0b2e84ab356ec44c3f4e80ddefb095c924ab59311493e5cc2208e5e66c211cdb63f8dc35c3e81946506c41e41ac7b686b

Download Submit
memory/1408-23-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4928-25-0x00000000008B0000-0x0000000000953000-memory.dmp

Filesize
652KB

Download
memory/4928-26-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/4928-28-0x00000000008B0000-0x0000000000953000-memory.dmp

Filesize
652KB

Download
memory/4928-29-0x00000000008B0000-0x0000000000953000-memory.dmp

Filesize
652KB

Download
memory/4928-30-0x00000000008B0000-0x0000000000953000-memory.dmp

Filesize
652KB

Download
memory/4928-31-0x00000000008B0000-0x0000000000953000-memory.dmp

Filesize
652KB

Download
memory/4928-32-0x00000000008B0000-0x0000000000953000-memory.dmp

Filesize
652KB

Download
memory/4992-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4992-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download