urelas | 3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe
Size

487KB
MD5

bd7118d5d28a3a98af688895fd402aa5
SHA1

ac575bc7279d93f8ca046eea9e3f30e354a595b3
SHA256

3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a
SHA512

53c75307ae50e945060c636a53d2df226db1820688c0aaebb03948c0f57723aca3a19fb10414db713725053090fe3ebaee9ff387e3492f5891ff928987ddcbeb
SSDEEP

6144:Ptozn+Wlxaki4aEVd+9fg0lnwzBDFqzRoRXOmbvRQ20g9nE:K+Wlo++9fg0lwzN0RY+mbvrI

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	myzos.exe

Executes dropped EXE 2 IoCs

pid	Process
2512	myzos.exe
4924	veluz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe
4924	veluz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2512	2304	3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe	90
PID 2304 wrote to memory of 2512	2304	3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe	90
PID 2304 wrote to memory of 2512	2304	3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe	90
PID 2304 wrote to memory of 4908	2304	3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe	91
PID 2304 wrote to memory of 4908	2304	3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe	91
PID 2304 wrote to memory of 4908	2304	3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe	91
PID 2512 wrote to memory of 4924	2512	myzos.exe	110
PID 2512 wrote to memory of 4924	2512	myzos.exe	110
PID 2512 wrote to memory of 4924	2512	myzos.exe	110

C:\Users\Admin\AppData\Local\Temp\3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe
"C:\Users\Admin\AppData\Local\Temp\3ba775a7bddba87b7e38e7ad76ec77cb749dfc50dd05709e28538e757b6dc50a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\myzos.exe
  "C:\Users\Admin\AppData\Local\Temp\myzos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\veluz.exe
    "C:\Users\Admin\AppData\Local\Temp\veluz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1a67e16404818dce4b26720fd4de16e9

SHA1
5836c0c84b18e616cdbce4ebf77af7a32d88c35f

SHA256
0426592b89e7fac3a176cb215dd9c01e898c03a7ce281edb54b903c49508660c

SHA512
d0491931a9c9d9d3214f387104be2d0cae26aaa568858e60f74d85630a60806aaba4cd37032a5c029c2e136a54ae3483901f07b5e5c947308c64dbcc414b1af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6494bf14f2f37ff2a7d5fe624171ca42

SHA1
59d53a9cac5df3e15a5787fda4ed95ed3b954a73

SHA256
402b1ee3c9088883c9ed27a884b6ecb658d671632c0ab222a114b1563c740eae

SHA512
025fca36a8a1f0aaab18cb784fd32f9de0aaa89d23032b775267183deeee93ce073c62ce151d33c34ab5654c601ff331573e0db4396e9932f4dddaabd09fd922

Download Submit
C:\Users\Admin\AppData\Local\Temp\myzos.exe

Filesize
487KB

MD5
c823a8b7ae5259b27368475840fccd80

SHA1
94bfbf306cf98c1c32c905a67807780d30057e1f

SHA256
d0a5e8f110932c07655564671700a7f5aabe8cd45618942d1d645295a75809a5

SHA512
7d859410fb1e164ca1787df94a5a1db41f5cf2d6ff93fb000ccd0cd675fef09c286bdbb47aaf22e7cf1d486c76689d22b035196393c4cb408f32e3c7619b3755

Download Submit
C:\Users\Admin\AppData\Local\Temp\veluz.exe

Filesize
178KB

MD5
b7d42a4b7e4b06ff0897c84867f2105c

SHA1
c50a86d59401448bae3ac768075695e018da36dc

SHA256
a385a6b972e17d808323dd9f1554bb7af4d2489651944399c19f6df1e9f30e04

SHA512
ba348fdb291183d5118f3d2be19e6691cd7c46f965e1afad14f5ba11b10399c2befa421812c8a0d567a431abed12d9c1cd596bd77c0419e14e9e3b4e9fcc4e92

Download Submit
memory/2304-1-0x0000000001390000-0x0000000001392000-memory.dmp

Filesize
8KB

Download
memory/2304-0-0x0000000000A70000-0x0000000000AA6000-memory.dmp

Filesize
216KB

Download
memory/2304-16-0x0000000000A70000-0x0000000000AA6000-memory.dmp

Filesize
216KB

Download
memory/2512-19-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/2512-14-0x0000000000D40000-0x0000000000D42000-memory.dmp

Filesize
8KB

Download
memory/2512-13-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/2512-35-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/4924-37-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4924-38-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4924-40-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4924-41-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4924-42-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4924-43-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4924-44-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download