urelas | 553c81d2b260518033d823851b7666fc83bff5cabb65f4a2cc02f5d3057426fb

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30-09-2023 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a966eb479f68989aa588f414af218189_JC.exe
Size

478KB
MD5

a966eb479f68989aa588f414af218189
SHA1

4281f1152ef582ca5f0875955c9551fbb1b1a3fd
SHA256

553c81d2b260518033d823851b7666fc83bff5cabb65f4a2cc02f5d3057426fb
SHA512

9bbdf8e41493a62072f2212a2acb923308a2ecc314ad0a9d2ae4ad3762d7cda9a391e6394aa1e1ae9310dace3b3363c2f2c0803a209b8fa9c369612ba599e255
SSDEEP

12288:k2PxDgZo3ijniea8Xih9abyNK95ZA9u3y2XWb7:k2SLi7oih9abvceo

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1300	nymuv.exe
2680	niwun.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	a966eb479f68989aa588f414af218189_JC.exe
1300	nymuv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe
2680	niwun.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1300	2480	a966eb479f68989aa588f414af218189_JC.exe	28
PID 2480 wrote to memory of 1300	2480	a966eb479f68989aa588f414af218189_JC.exe	28
PID 2480 wrote to memory of 1300	2480	a966eb479f68989aa588f414af218189_JC.exe	28
PID 2480 wrote to memory of 1300	2480	a966eb479f68989aa588f414af218189_JC.exe	28
PID 2480 wrote to memory of 1720	2480	a966eb479f68989aa588f414af218189_JC.exe	29
PID 2480 wrote to memory of 1720	2480	a966eb479f68989aa588f414af218189_JC.exe	29
PID 2480 wrote to memory of 1720	2480	a966eb479f68989aa588f414af218189_JC.exe	29
PID 2480 wrote to memory of 1720	2480	a966eb479f68989aa588f414af218189_JC.exe	29
PID 1300 wrote to memory of 2680	1300	nymuv.exe	33
PID 1300 wrote to memory of 2680	1300	nymuv.exe	33
PID 1300 wrote to memory of 2680	1300	nymuv.exe	33
PID 1300 wrote to memory of 2680	1300	nymuv.exe	33

C:\Users\Admin\AppData\Local\Temp\a966eb479f68989aa588f414af218189_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a966eb479f68989aa588f414af218189_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\nymuv.exe
  "C:\Users\Admin\AppData\Local\Temp\nymuv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\niwun.exe
    "C:\Users\Admin\AppData\Local\Temp\niwun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
30953483ec8f91e8f7bce81282dd76dd

SHA1
086485187200c7f90f2e15a63541f751ed10fc95

SHA256
c412481ada3d30aa2c8eaeba73dd9b23f45967b7ca0b7ad50f3e76c29cf49a07

SHA512
adffffeeb3b28c1235f6f363142299b9556f9f66be1de3787c812e920577ca51a3ac6ff179814dbd8d96a78ac47b38a9c5570204f537810ae83af7d6b764ff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
30953483ec8f91e8f7bce81282dd76dd

SHA1
086485187200c7f90f2e15a63541f751ed10fc95

SHA256
c412481ada3d30aa2c8eaeba73dd9b23f45967b7ca0b7ad50f3e76c29cf49a07

SHA512
adffffeeb3b28c1235f6f363142299b9556f9f66be1de3787c812e920577ca51a3ac6ff179814dbd8d96a78ac47b38a9c5570204f537810ae83af7d6b764ff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
47cb6bf9f337f99f81f75fdcfa0fc046

SHA1
5170c4658179527e65d68585cf2169e53d30ffc2

SHA256
cdec0123ef58aab274fc6cab46612d9e2fdefd7fb74d1403304f830b24b43f1a

SHA512
736d529321762c1040cdd5acce27244619b9f7b94fb239cfb04f87abcfb813a2736b5da4f4891b9beb1ff2f18411ecd426b532df9640a23a1c557ed41497d8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\niwun.exe

Filesize
200KB

MD5
4ff3f70b99e20c93e7181c958f7652ba

SHA1
5add0abc8c619d83c4f91f2b8a3bb65846c33ce1

SHA256
b2c010097fe01db22a7d475a63869af8bddb0e663c896fbf26cb5b4061497a91

SHA512
542e29e947d70876a669090ddadfe46f031daf6493be59abb65db44ea76498bbd4751dd2dd31b1abd4af917d3a3c13b9c33f0ba05ddf9b0ba65636bcb3592475

Download Submit
C:\Users\Admin\AppData\Local\Temp\nymuv.exe

Filesize
479KB

MD5
111061dbbe719d62e715d7faa9f8a035

SHA1
05ba0fc72a8116a233b91bca9a2f07db34539920

SHA256
a41f5ebcb18419fb182a3c27890b69d4aa7f2a6eca53b6e9f93780f324e604e9

SHA512
810a28d365c16ab28fd0a469d0cfe65528b964ce712fc79e06dc5250d860b2b41e93568071e4271bdd0a773cb0ae2eb4eb51fc0929c9d457ffde72e13ae97155

Download Submit
C:\Users\Admin\AppData\Local\Temp\nymuv.exe

Filesize
479KB

MD5
111061dbbe719d62e715d7faa9f8a035

SHA1
05ba0fc72a8116a233b91bca9a2f07db34539920

SHA256
a41f5ebcb18419fb182a3c27890b69d4aa7f2a6eca53b6e9f93780f324e604e9

SHA512
810a28d365c16ab28fd0a469d0cfe65528b964ce712fc79e06dc5250d860b2b41e93568071e4271bdd0a773cb0ae2eb4eb51fc0929c9d457ffde72e13ae97155

Download Submit
\Users\Admin\AppData\Local\Temp\niwun.exe

Filesize
200KB

MD5
4ff3f70b99e20c93e7181c958f7652ba

SHA1
5add0abc8c619d83c4f91f2b8a3bb65846c33ce1

SHA256
b2c010097fe01db22a7d475a63869af8bddb0e663c896fbf26cb5b4061497a91

SHA512
542e29e947d70876a669090ddadfe46f031daf6493be59abb65db44ea76498bbd4751dd2dd31b1abd4af917d3a3c13b9c33f0ba05ddf9b0ba65636bcb3592475

Download Submit
\Users\Admin\AppData\Local\Temp\nymuv.exe

Filesize
479KB

MD5
111061dbbe719d62e715d7faa9f8a035

SHA1
05ba0fc72a8116a233b91bca9a2f07db34539920

SHA256
a41f5ebcb18419fb182a3c27890b69d4aa7f2a6eca53b6e9f93780f324e604e9

SHA512
810a28d365c16ab28fd0a469d0cfe65528b964ce712fc79e06dc5250d860b2b41e93568071e4271bdd0a773cb0ae2eb4eb51fc0929c9d457ffde72e13ae97155

Download Submit
memory/1300-24-0x00000000027B0000-0x0000000002864000-memory.dmp

Filesize
720KB

Download
memory/2480-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2680-26-0x0000000000F70000-0x0000000001024000-memory.dmp

Filesize
720KB

Download
memory/2680-28-0x0000000000F70000-0x0000000001024000-memory.dmp

Filesize
720KB

Download
memory/2680-29-0x0000000000F70000-0x0000000001024000-memory.dmp

Filesize
720KB

Download
memory/2680-30-0x0000000000F70000-0x0000000001024000-memory.dmp

Filesize
720KB

Download
memory/2680-31-0x0000000000F70000-0x0000000001024000-memory.dmp

Filesize
720KB

Download
memory/2680-32-0x0000000000F70000-0x0000000001024000-memory.dmp

Filesize
720KB

Download