urelas | 4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe
Size

458KB
MD5

f02585343d9a079a7b9706a616a76936
SHA1

6e20e47c0fdee952f27f6947a58fd6d854bce01f
SHA256

4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e
SHA512

15af22556b1b7d1f5880bc9e80852db0bf34cd38ce531b5218b5919644a64b2683a59dd83e1011742cef4e503a15dca490ce1fc539e55d52ebe26d9bde74065b
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTWHX6:CMpASIcWYx2U6hAJQnj36

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	teovw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	numiko.exe

Executes dropped EXE 3 IoCs

pid	Process
1224	teovw.exe
1964	numiko.exe
3596	voyvq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe
3596	voyvq.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1224	4176	4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe	91
PID 4176 wrote to memory of 1224	4176	4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe	91
PID 4176 wrote to memory of 1224	4176	4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe	91
PID 4176 wrote to memory of 4832	4176	4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe	92
PID 4176 wrote to memory of 4832	4176	4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe	92
PID 4176 wrote to memory of 4832	4176	4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe	92
PID 1224 wrote to memory of 1964	1224	teovw.exe	94
PID 1224 wrote to memory of 1964	1224	teovw.exe	94
PID 1224 wrote to memory of 1964	1224	teovw.exe	94
PID 1964 wrote to memory of 3596	1964	numiko.exe	113
PID 1964 wrote to memory of 3596	1964	numiko.exe	113
PID 1964 wrote to memory of 3596	1964	numiko.exe	113
PID 1964 wrote to memory of 4940	1964	numiko.exe	114
PID 1964 wrote to memory of 4940	1964	numiko.exe	114
PID 1964 wrote to memory of 4940	1964	numiko.exe	114

C:\Users\Admin\AppData\Local\Temp\4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe
"C:\Users\Admin\AppData\Local\Temp\4e16aa00f35995b82c1a80f32cfef7ba9030b033a83c475690d7ab91314f769e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\teovw.exe
  "C:\Users\Admin\AppData\Local\Temp\teovw.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\numiko.exe
    "C:\Users\Admin\AppData\Local\Temp\numiko.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\voyvq.exe
      "C:\Users\Admin\AppData\Local\Temp\voyvq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a772f3f8ad6ff41abaaedb5965592c61

SHA1
951f0c8b3b332ff1aceed9b4f4f842a2276fa212

SHA256
2ca908e0be70418902a29f341a6f2d4a15474f4536f432378012f2aa7e72771e

SHA512
5a00c8634e94b0f946b965a8bafd6eb89820b7641ec4c8bafc4769e9b6afc01268e22bc2a6a545a4b871dbe035faf7e48f6f8e193a2379d3073e3d90d8287233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6f71d2748291cf830a18ab664bdf6df6

SHA1
ae0bf57cefc41ac5318b030145a8dfdcd29d6744

SHA256
3765125ef02b2725f3d77da90f7dd11d9acebab55daf6ce713b4161b4937ec92

SHA512
7a434020abb3899164ced08b1c9fba731517d5c8e7df4496c2fe2acfb56bb1a5db3f073d078c8662ff9721bc03873b7e35ecb383f31df2d5778f13dc74ef64de

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
949206a98253929d00b7f4c4446ef6d3

SHA1
f8f71c83e339c56152bca96fae8bf46dd2656897

SHA256
60698ec738a71dd1ba60a0f58c713c059a5658c761f5b2f49b8777d97989c3c6

SHA512
c3888d9111ffea1441e92f9165a39cbed4305380ad99bd56be16c58c45395e5d73f95f0bf79b36790adce681a5b6771fc08461116d35c24f9176474883d02629

Download Submit
C:\Users\Admin\AppData\Local\Temp\numiko.exe

Filesize
458KB

MD5
ba0f83aba6df801a3b217ce567c6870d

SHA1
f5e5f0dc9dd4a0423ac9fb283836fdd24e7bf712

SHA256
052701af38e1fed802665c5010d9305e01524b584ed40b2d3bf89f5ad81aee5b

SHA512
5eb92896948bc3ed4d774c20a0b6292e947200201aa71de02ac2c62cd8657b227e092cd735ebbc64b562b1aad5f540ee424fa134f21617069eae6fea8fe1cb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\teovw.exe

Filesize
458KB

MD5
4d9d33aff3b78eb4e41c2548567d9609

SHA1
c5cec60deaaa6e51efd3f61a1193146cb8fd57b8

SHA256
73e8af709555f6fa1c70e2b544c4272fded14c57abd41a003aa47d00ecb53e73

SHA512
9cb8f2e9172744c37f26ef12e4a0214a1a2306e0fb20a7d47dc65f9ba3a6043094d1c48548b19c032354ff11a369df697ea423cb51116085ad020eef64ad3e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\voyvq.exe

Filesize
223KB

MD5
0495790867c7f20ec24c7a7de5fd553b

SHA1
5f884d101b10cc27985a87d7dd9a08885416bff7

SHA256
17aeeefea9686703e8960d09cd1067a962971234f345906973affb8a52f076b2

SHA512
1724ebae1861ec265d48314c6d25d3794d23f01b7343b2de6f1889e5bcea546ecdcc5323aa0942cd6d312acf1f977da20d50a001eec62a43f98aa51c5fda3678

Download Submit
memory/1224-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1224-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1964-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1964-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3596-39-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/3596-38-0x0000000000410000-0x00000000004B0000-memory.dmp

Filesize
640KB

Download
memory/3596-43-0x0000000000410000-0x00000000004B0000-memory.dmp

Filesize
640KB

Download
memory/3596-44-0x0000000000410000-0x00000000004B0000-memory.dmp

Filesize
640KB

Download
memory/3596-45-0x0000000000410000-0x00000000004B0000-memory.dmp

Filesize
640KB

Download
memory/3596-46-0x0000000000410000-0x00000000004B0000-memory.dmp

Filesize
640KB

Download
memory/3596-47-0x0000000000410000-0x00000000004B0000-memory.dmp

Filesize
640KB

Download
memory/4176-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4176-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download