urelas | 0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe
Size

454KB
MD5

e545840f1e3a352832c34ec59e0bc74c
SHA1

349acbecb2f97d39236f0c04c2c926b9ecccda99
SHA256

0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6
SHA512

a0ca1f60633f79002b1595452ff2c781d02316194bf12a9a1f51ef1ae25416ebab21a3b60672d4c4353ec871ea5d8e8f6b6b146e5cc63a88f0c9806145403b6f
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjIa1EMi:oMpASIcWYx2U6hAJQnSLi

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	junur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	xizozo.exe

Executes dropped EXE 3 IoCs

pid	Process
4416	junur.exe
4000	xizozo.exe
2764	dequy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe
2764	dequy.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 4416	764	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	89
PID 764 wrote to memory of 4416	764	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	89
PID 764 wrote to memory of 4416	764	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	89
PID 764 wrote to memory of 3636	764	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	90
PID 764 wrote to memory of 3636	764	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	90
PID 764 wrote to memory of 3636	764	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	90
PID 4416 wrote to memory of 4000	4416	junur.exe	92
PID 4416 wrote to memory of 4000	4416	junur.exe	92
PID 4416 wrote to memory of 4000	4416	junur.exe	92
PID 4000 wrote to memory of 2764	4000	xizozo.exe	107
PID 4000 wrote to memory of 2764	4000	xizozo.exe	107
PID 4000 wrote to memory of 2764	4000	xizozo.exe	107
PID 4000 wrote to memory of 1816	4000	xizozo.exe	108
PID 4000 wrote to memory of 1816	4000	xizozo.exe	108
PID 4000 wrote to memory of 1816	4000	xizozo.exe	108

C:\Users\Admin\AppData\Local\Temp\0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe
"C:\Users\Admin\AppData\Local\Temp\0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\junur.exe
  "C:\Users\Admin\AppData\Local\Temp\junur.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\xizozo.exe
    "C:\Users\Admin\AppData\Local\Temp\xizozo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\dequy.exe
      "C:\Users\Admin\AppData\Local\Temp\dequy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8e2ddc9b7d610ce7c9002692d6dadefb

SHA1
8e9e99e324b4ed9fa0f11558cc66d3d914ec5311

SHA256
fdc41635da69921595873c34b45e62c8e3c47b769facce46664aab433e389a73

SHA512
61033c9d52412b454ea0204483405400fb726e3ad5fcd9876b36bf5aa3945c329cec848fdb5d7d0f65012770503d55da382fc0cbe61c6c1b19d85858adc042e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
c4f8be4499e10c5e3e36ca5547e0f03c

SHA1
0cc89b4c10ada460b04cf2f9c2608fea7bfc5109

SHA256
94a94d4dfa5bf5fea34a0f8b13204c46e79556ef0d34b111d48f3256088b2303

SHA512
bbc8b4c5da0311115b710aab55be087ea737b9ba8a533fe56c5a815a16335a5179ec57a944c89c7bfaac485b44681e842c6d3d23793f9e9c88ec6b67c847aec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dequy.exe

Filesize
223KB

MD5
0ffb2b17faa8462ac741899096f9e2af

SHA1
cf10ee39438c9d92f6376fdbaf90923b8cef7588

SHA256
94dc94ee3c351b924b9485eb9905a250c7e9bf8188310231e7d480f51fb522db

SHA512
7a7cc2d95013e2ea2019bd130d7c3d17c4ae848662bbc1e4c2c83291079a7195731b039c1a3fb07949ba49adc86ff930abae9418ae06bf43a4a5565e533b0475

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6fab0096961ead19a7a301237e4def65

SHA1
5a205708d5d82aedc56ed083e0961426fdb4d4ae

SHA256
cccbb7d225ec530e9cda1c643e655e4cbabbea5dcfd71fb71609c4d6a8b3bce0

SHA512
cd2f1192c98a45ee138eec6342c4ef4461dab9e1d5342d9022d6470caab305e3090e1ed2eec1567569f60eccc003349e90df0226f51623ab32c9d0806be188c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\junur.exe

Filesize
454KB

MD5
7a1c355b546fc45f2b0fe244aca1756b

SHA1
8a5709878053792de2884487c9c8b34a5c60d160

SHA256
2bc519a739118e21c33e7de26e483c5d777dc3fecbf72959dcb9590c8b97dde5

SHA512
7de2025e1ce4090078b725380c4fb3b5c692a65b9782b954b0c64f94a5f2d5c1ebe125986a5ee49e42b8492b2922d929006875ddaf6bea04cdc8172ab3374c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xizozo.exe

Filesize
454KB

MD5
cba45c0db586d3a7c42d5d80fd22dc30

SHA1
41824091de53ded162d5e3109f62b98ed46a9e32

SHA256
6ff0c2608b1dc7861d113cd1dd6edff6d17888dd898576fb0103e628fb3d7ecf

SHA512
b17c8dcc703a33b274a0f9aab858b8387fa266be1eb19900227b96c92f14d056845b5b332b553f8e0130bdd27791e894a052d465e70ae3ddb9022fc352e7981d

Download Submit
memory/764-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/764-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2764-38-0x0000000000260000-0x0000000000300000-memory.dmp

Filesize
640KB

Download
memory/2764-39-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2764-43-0x0000000000260000-0x0000000000300000-memory.dmp

Filesize
640KB

Download
memory/2764-44-0x0000000000260000-0x0000000000300000-memory.dmp

Filesize
640KB

Download
memory/2764-45-0x0000000000260000-0x0000000000300000-memory.dmp

Filesize
640KB

Download
memory/2764-46-0x0000000000260000-0x0000000000300000-memory.dmp

Filesize
640KB

Download
memory/2764-47-0x0000000000260000-0x0000000000300000-memory.dmp

Filesize
640KB

Download
memory/4000-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4000-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4416-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4416-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download