urelas | 29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe
Size

448KB
MD5

abc7af471759c348bed8520bf15295ef
SHA1

08064f0d39b9422c5d7b119831ccedea872ccdab
SHA256

29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c
SHA512

ab1a4715c6cf1e8d2fd0b62c4d2d167ddd7de9f0bfb5bb735f11f8e4df767badfcfc1dbadb3bedecc651ec3b4dc26be202ad3425f959991a6271265a393e8818
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjdOS:oMpASIcWYx2U6hAJQnMh

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	vaqoqy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	kukoz.exe

Executes dropped EXE 3 IoCs

pid	Process
4796	kukoz.exe
4912	vaqoqy.exe
4456	vejuu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe
4456	vejuu.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4796	3036	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	85
PID 3036 wrote to memory of 4796	3036	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	85
PID 3036 wrote to memory of 4796	3036	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	85
PID 3036 wrote to memory of 1672	3036	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	87
PID 3036 wrote to memory of 1672	3036	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	87
PID 3036 wrote to memory of 1672	3036	29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe	87
PID 4796 wrote to memory of 4912	4796	kukoz.exe	89
PID 4796 wrote to memory of 4912	4796	kukoz.exe	89
PID 4796 wrote to memory of 4912	4796	kukoz.exe	89
PID 4912 wrote to memory of 4456	4912	vaqoqy.exe	95
PID 4912 wrote to memory of 4456	4912	vaqoqy.exe	95
PID 4912 wrote to memory of 4456	4912	vaqoqy.exe	95
PID 4912 wrote to memory of 5000	4912	vaqoqy.exe	96
PID 4912 wrote to memory of 5000	4912	vaqoqy.exe	96
PID 4912 wrote to memory of 5000	4912	vaqoqy.exe	96

C:\Users\Admin\AppData\Local\Temp\29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe
"C:\Users\Admin\AppData\Local\Temp\29d5b4920a82e19663022125d2d531ac0f460ffa99d6e6e0351e920dd43e778c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\kukoz.exe
  "C:\Users\Admin\AppData\Local\Temp\kukoz.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\vaqoqy.exe
    "C:\Users\Admin\AppData\Local\Temp\vaqoqy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\vejuu.exe
      "C:\Users\Admin\AppData\Local\Temp\vejuu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
125a93a97e5490b2e3da4c51180e9eb0

SHA1
0a16ee28fb677ace3d8bc9c49a28ec6dbc66b02a

SHA256
a999f58af56ed30d85e906ea6a2ac048394c849964c2179d0a88818c56a6efd0

SHA512
7331d1f6882924cb56f0b17155d568fc49859b334661d507c8321a235c4141b360a8e8bd8944348720753420e05e44f430c62e034695f2642eb4a819ad4cb855

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c6a734fbda74a2092546a87015391584

SHA1
937fb818244a3f8935b551b6a2d7f45cf7e46e79

SHA256
46aca3e28ea3cf847157429c812d49b810602c4568c95a7a1d38f12c3fa7c576

SHA512
d03ddf6df76b8f70c2701b621e37e9ab46d2e49303fcaaed81009dd972708b959275c402189ab648943ca6e5f593c71f2c7e1358d1f3f1a197ce62b8c4f902ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
69ac93da1cb2733f7ac087511d58c410

SHA1
5d81b21302d9aa4bbb87915b57e952f2de240d49

SHA256
0c07d6d691e668da2f522c5ec98939913244ebcf1a70dfcac55c8a8edac31ad7

SHA512
7752138952404b1dd1639fa2e18fa6f86dc3927ae2595f1acd03be2165d7c11543ff89fc16f015e5e089efc5ef08eab9b0e8fe53468247b41fe4b9af2c5db065

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukoz.exe

Filesize
448KB

MD5
05c06a547fe8e896d371073f1330ee44

SHA1
91985d5d2d98046e1d1025e60d6950e7caf75366

SHA256
4f285c3041938b928ecb54f1e607cc85182e8470adfdde8debdf836b35f3f02e

SHA512
a8c9bf3d9dd43b75f56c4d1ac02e36dce4719d962dbb357056f1b2ff0905105a8136436cb82886bb58a89dd8f5b8822462f131b9c013d18d98c5dfc844339c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaqoqy.exe

Filesize
448KB

MD5
34f26193e826a1cb998e89ef61a8e3fc

SHA1
f7e13d997fb22a0d5bd4271952140c126b77a750

SHA256
5f3d0bd5be5f0d6268a8054071780facd04165321d285ee3847e4e3666d393b0

SHA512
282901861bbf17cd9b099713d04cd4b94fb03d5b6a44d92fccf6bb053495233e2e24871725421ee53868ee5d1638d718184ebc2bb5111a945df2179c0969231a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vejuu.exe

Filesize
223KB

MD5
017c439e96523550902b7f5e92e6c215

SHA1
95e2dc51a5d72fe7e2afd454a158c80a5c93507f

SHA256
f9f1100e5a4b29ec11cde56dd444be0649d52ce53070f6a5ecd84b8b42529437

SHA512
81de7bd5eaa95f8b02b374454a70ecb20fd773b6e907cea8fe6d4dd97cc2345345e2c5d1974d32a6def1a87cb677b85dec7c1722ab6b8b92bee44409be5c0ce9

Download Submit
memory/3036-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3036-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4456-46-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/4456-37-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/4456-39-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4456-47-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/4456-43-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/4456-44-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/4456-45-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/4796-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4796-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4912-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4912-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download