urelas | 3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a

General

Target

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe
Size

321KB
MD5

68507d55c249d61d7aac50987cd13b08
SHA1

075e886e5f43dcc2596964041b8ba669ddb73cee
SHA256

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a
SHA512

872d4dbb24ec163e7d4f6143b18cfb3527e0b8203294907cd672810c227d789dcb0dc2bd6271161c4bc8191b72c6dffbe937864f2f3d000020d3e6f072b4e073
SSDEEP

6144:YRclEhSDYNRIu1dQREqjoEv8i/FuXox3+i+Lj2et3uopGYX:YRcISsNnWEmQox3+i+Ljrt+lYX

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exevuoww.exefevexa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	vuoww.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	fevexa.exe

Executes dropped EXE 3 IoCs

Processes:

vuoww.exefevexa.exekykoe.exe

pid process

1536 vuoww.exe
4200 fevexa.exe
2440 kykoe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1536	vuoww.exe
4200	fevexa.exe
2440	kykoe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kykoe.exe

pid	process
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe
2440	kykoe.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exevuoww.exefevexa.exe

description	pid	process	target process
PID 3220 wrote to memory of 1536	3220	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	vuoww.exe
PID 3220 wrote to memory of 1536	3220	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	vuoww.exe
PID 3220 wrote to memory of 1536	3220	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	vuoww.exe
PID 3220 wrote to memory of 4496	3220	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	cmd.exe
PID 3220 wrote to memory of 4496	3220	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	cmd.exe
PID 3220 wrote to memory of 4496	3220	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	cmd.exe
PID 1536 wrote to memory of 4200	1536	vuoww.exe	fevexa.exe
PID 1536 wrote to memory of 4200	1536	vuoww.exe	fevexa.exe
PID 1536 wrote to memory of 4200	1536	vuoww.exe	fevexa.exe
PID 4200 wrote to memory of 2440	4200	fevexa.exe	kykoe.exe
PID 4200 wrote to memory of 2440	4200	fevexa.exe	kykoe.exe
PID 4200 wrote to memory of 2440	4200	fevexa.exe	kykoe.exe
PID 4200 wrote to memory of 1344	4200	fevexa.exe	cmd.exe
PID 4200 wrote to memory of 1344	4200	fevexa.exe	cmd.exe
PID 4200 wrote to memory of 1344	4200	fevexa.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe
"C:\Users\Admin\AppData\Local\Temp\3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\vuoww.exe
  "C:\Users\Admin\AppData\Local\Temp\vuoww.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\fevexa.exe
    "C:\Users\Admin\AppData\Local\Temp\fevexa.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\kykoe.exe
      "C:\Users\Admin\AppData\Local\Temp\kykoe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
994624263997aed1159fe0daf9797471

SHA1
527e5694f0731887c2483e653cd8b0de73cdaf21

SHA256
e4d3fca35b18db01948560af199aa7b7c3b015e7f146c0230946f80d96d54ad7

SHA512
1c81ed0c9d52c135a9e5be14c70919b414872e78d61a369a80b63ddcf06a2770764af4dc6552bc51a3603767ce3a83a2fb3d73a8de2f41bb1e92fc48d41f182c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
c9675922a3430b7e556173cff7a897f7

SHA1
dc667d3b12b295d8f83d6b36744641ea4ea8469e

SHA256
4bc7ab11371a9b729a5dbaa3140727b017a1aa2861a291f70c26d310eb83c263

SHA512
feae6b14ac85e38b69fbb908c89d5c46c0d6289ff3f8c6d6b6c7da53a11c3d6a572130060db75ece8fc3325f15133a43551afb047c1034141b9f7e8959a91787

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c94077e8498e06f0dd31564d3f8bfad8

SHA1
6e3087de39122fbdb165fc3c606dc20c7cc011f3

SHA256
7e4a7b5de35d404a1b7b730917f2fb92069481468344bd19624b24b798cdaad8

SHA512
03012cac47177607ff563c83e864bf9eee48d8adf50fa03850479237db925beb4052a8b40ea63b9b91775a93768b11c8c2ebc65df8c1259c28391fb49cae38ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\kykoe.exe

Filesize
204KB

MD5
afc294352db2fca083a6171f54d03923

SHA1
4264594e03e52595ce2dbe86a97a0621ba0ba671

SHA256
c246d5f7d176919e1e4c1b769e8339cef05f62d427df2b48e57178520632bbf0

SHA512
b5e2bf273d2abd9af2ad58a90ce8a32e0298aafed2528554dbf3001cdad06f2c67f634929cc369fefc188c634e0664a38d7369218d6ba87834d44a9377792d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuoww.exe

Filesize
322KB

MD5
08f4ec5ca256a755242c1e05f925a29e

SHA1
c4ec5b50f6262ecae5f816c31c40a8feada0c196

SHA256
070184ae141fe3c932fd25ffc34a6667acb03d796b29be0af3533ee04d904068

SHA512
397df8cf90fc949ae6c30014e138dc50cea4529ed684fed290ee4afffd69b8fe56ab411fb5d3d26cf92b273340bebcf55c79fb57257ba56b99ee80c05bc29421

Download Submit
memory/1536-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1536-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1536-27-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2440-55-0x0000000000180000-0x000000000021A000-memory.dmp

Filesize
616KB

Download
memory/2440-58-0x0000000000180000-0x000000000021A000-memory.dmp

Filesize
616KB

Download
memory/2440-62-0x0000000000180000-0x000000000021A000-memory.dmp

Filesize
616KB

Download
memory/2440-61-0x0000000000180000-0x000000000021A000-memory.dmp

Filesize
616KB

Download
memory/2440-60-0x0000000000180000-0x000000000021A000-memory.dmp

Filesize
616KB

Download
memory/2440-59-0x0000000000180000-0x000000000021A000-memory.dmp

Filesize
616KB

Download
memory/3220-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3220-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3220-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4200-29-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4200-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4200-34-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4200-32-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4200-30-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads