urelas | adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe
Size

448KB
MD5

030cf01cc382eea89b30d91cea2d020f
SHA1

56b6c669ffdf121f4d81507f04c77206cfc55bd1
SHA256

adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db
SHA512

ffd8f7ef91c53361dd0475c850b1836d7fca3732a0c5660725f9a465fbb90e51339790e96bdfaf7ea51c1c0db4b629d3abc883cac5ba8b8e863e77ef9352448d
SSDEEP

6144:FEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpddOMk:FMpASIcWYx2U6hAJQn2M

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	mysul.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	yjulav.exe

Executes dropped EXE 3 IoCs

pid	Process
2564	mysul.exe
1612	yjulav.exe
2904	duahx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe
2904	duahx.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2564	1520	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	88
PID 1520 wrote to memory of 2564	1520	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	88
PID 1520 wrote to memory of 2564	1520	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	88
PID 1520 wrote to memory of 2632	1520	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	89
PID 1520 wrote to memory of 2632	1520	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	89
PID 1520 wrote to memory of 2632	1520	adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe	89
PID 2564 wrote to memory of 1612	2564	mysul.exe	91
PID 2564 wrote to memory of 1612	2564	mysul.exe	91
PID 2564 wrote to memory of 1612	2564	mysul.exe	91
PID 1612 wrote to memory of 2904	1612	yjulav.exe	100
PID 1612 wrote to memory of 2904	1612	yjulav.exe	100
PID 1612 wrote to memory of 2904	1612	yjulav.exe	100
PID 1612 wrote to memory of 4376	1612	yjulav.exe	101
PID 1612 wrote to memory of 4376	1612	yjulav.exe	101
PID 1612 wrote to memory of 4376	1612	yjulav.exe	101

C:\Users\Admin\AppData\Local\Temp\adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe
"C:\Users\Admin\AppData\Local\Temp\adab1da91f10c9bf3e376f0128163a783f8edf5fd8d1deccd604cbc18b49e9db.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\mysul.exe
  "C:\Users\Admin\AppData\Local\Temp\mysul.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\yjulav.exe
    "C:\Users\Admin\AppData\Local\Temp\yjulav.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\duahx.exe
      "C:\Users\Admin\AppData\Local\Temp\duahx.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a810f1fb94f5f03b7c77a1f77635885e

SHA1
127a2e4c57c18b729cfd6aea921ab50d83642c06

SHA256
3314b6f7646063c627d11282a1358e0dcc6d9e2ebcc9dc9752e4c9d2244ef929

SHA512
b231af5b68f8f351c8db9e958eed441aabbc6b82e9f51c54552fb2a149b85d51cd024330a2811ef52ab94ca70fbdd823438b8edd92167eb6f176498baa5007cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
0b156f267d556048eb9a3946209f8119

SHA1
3901f88b51d92d18067abe25361ec14fb0090213

SHA256
2a09a01585543399f74e84a64fbff8245a1220441b56511bc59affd7ccce6cac

SHA512
ebecd955f5ad3829f62f18937761a73679cb05797394f87c3134b56d55f8c957de5726073f7af68fb6116059bb0e9c8a64ef6921b8b2d35a048da79cc8fc6e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\duahx.exe

Filesize
223KB

MD5
ca94da0b1c58cc14826f086594aa4749

SHA1
b6cb9228588cd89d50b27f1aff2e6977e64de0e3

SHA256
889939c881cb7991788190c7a77669520327fa8b3ef81e6a86bc2a415528cf1d

SHA512
7374a176a7ed2ea96b975c1e18536e0caaa1fac9b9a5b1c9e279d25b8a0e813771de68c179390de46a085fadb43a254044ace2e76179adb432435aafa83f85ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
258fcb59246cf5dea1b4f5b15c11f6d4

SHA1
410e866c2c0705a1e982227d2b151079ea803e12

SHA256
ed62a80a8223125ee6e328fef71d5b0758259a8a1520e90fea818f2f67233c14

SHA512
1025a92b34bc37b3b094ee5c1672367c10f2cd026a1e20c2806972c36fefa07ad94bb759725a8269f92bc765efc1300b671b07704fb9f349544d12c31971c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysul.exe

Filesize
448KB

MD5
b0951774b8f668b709ef8413a8821f80

SHA1
48e56922d978a93f56318186b0bd06354a3d2bc2

SHA256
72b86db4edf0c74d94bc736bde75744b3b79098e4ac9067f52f16660b302357e

SHA512
d40d99bda3a70bf7be1ee4bd30d7df73f7dcf0aeb4dab6c605356ee109d90a26d895bfdb86e167bcdb00d892e8f1bd69f50fb57e2952b72e18fc7f30738556ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjulav.exe

Filesize
448KB

MD5
8f0f195065501f860a97052a43f81660

SHA1
2a8bb8e22a6200774f86111f09910c5e62333a41

SHA256
8bbb11e2d51f499688e2899578ef92992260f208c87f7e678332601bc1c7f35f

SHA512
324271c38ee6c1a25b3d6c9125a224d6c5dfd33f36197b0a374bd8f3a64e1092eb43d9e13b528168a0cd7dc70f2feac9998ccd517ad658dba67aa7a0f1c96282

Download Submit
memory/1520-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1520-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1612-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1612-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2564-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2904-38-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2904-37-0x00000000001F0000-0x0000000000290000-memory.dmp

Filesize
640KB

Download
memory/2904-42-0x00000000001F0000-0x0000000000290000-memory.dmp

Filesize
640KB

Download
memory/2904-43-0x00000000001F0000-0x0000000000290000-memory.dmp

Filesize
640KB

Download
memory/2904-44-0x00000000001F0000-0x0000000000290000-memory.dmp

Filesize
640KB

Download
memory/2904-45-0x00000000001F0000-0x0000000000290000-memory.dmp

Filesize
640KB

Download
memory/2904-46-0x00000000001F0000-0x0000000000290000-memory.dmp

Filesize
640KB

Download