urelas | f9cc226bdcfc374ab6c5c79a8fac93384a6e8b69b67b7acf2bd4ccb9fb28e3af

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/10/2023, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1986464de7c51ae0d4f741c15e74f16_JC.exe
Size

222KB
MD5

a1986464de7c51ae0d4f741c15e74f16
SHA1

35fbb43cb2110df64531579c473564f3f62872b7
SHA256

f9cc226bdcfc374ab6c5c79a8fac93384a6e8b69b67b7acf2bd4ccb9fb28e3af
SHA512

0f85812216ae625a89f90ae22848d10a6deb487b4867431fe12ba6043879fca85c6a0b713b9441bb558a5b819f4f51f97fa2c1883abccbedc47348cf90fe4860
SSDEEP

3072:WBKBy7+8pCOH1ch9ZLqrwrr58V2po8d3E:WkBy7+8pCOVi3L+w6MpRd3E

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	kiowd.exe

Loads dropped DLL 5 IoCs

pid	Process
3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1772	2820	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2820	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	28
PID 3044 wrote to memory of 2820	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	28
PID 3044 wrote to memory of 2820	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	28
PID 3044 wrote to memory of 2820	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	28
PID 3044 wrote to memory of 2704	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	29
PID 3044 wrote to memory of 2704	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	29
PID 3044 wrote to memory of 2704	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	29
PID 3044 wrote to memory of 2704	3044	a1986464de7c51ae0d4f741c15e74f16_JC.exe	29
PID 2820 wrote to memory of 1772	2820	kiowd.exe	33
PID 2820 wrote to memory of 1772	2820	kiowd.exe	33
PID 2820 wrote to memory of 1772	2820	kiowd.exe	33
PID 2820 wrote to memory of 1772	2820	kiowd.exe	33

C:\Users\Admin\AppData\Local\Temp\a1986464de7c51ae0d4f741c15e74f16_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a1986464de7c51ae0d4f741c15e74f16_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\kiowd.exe
  "C:\Users\Admin\AppData\Local\Temp\kiowd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 408
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
3542fbe4c275397a4a5b01bdfb753af0

SHA1
72cce8c341b19b9dde146a0ee8681243049245be

SHA256
645d30214386c4d1ae4adf529aebb443971b91fa8da3fcc8718c39f2df0f478f

SHA512
ea511cb723364dfc3707739d6b3919c6f1781c5394a6f9d8aacc6dc9611f17e6fa2c400669c861ec4232e5f3d2fd9d86490e7a31d0a8c761ccf7bbf1aca56089

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
3542fbe4c275397a4a5b01bdfb753af0

SHA1
72cce8c341b19b9dde146a0ee8681243049245be

SHA256
645d30214386c4d1ae4adf529aebb443971b91fa8da3fcc8718c39f2df0f478f

SHA512
ea511cb723364dfc3707739d6b3919c6f1781c5394a6f9d8aacc6dc9611f17e6fa2c400669c861ec4232e5f3d2fd9d86490e7a31d0a8c761ccf7bbf1aca56089

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6e708ef9d7739b8e3d22ad1acf0b2fee

SHA1
534b05ece3397a399aa695174809f7ccc27e6533

SHA256
87ce209972d987da5bacc34211cfcce2cec639ba5b247e37558282eb90b964e5

SHA512
9824571284d29ba30453818753ede3126d4ff0287dd9d7260430ff6d9d140f003ea363bd6a1b73acccb81ca2c29f7fa9505247463760de6ef0d62580b3cb2839

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiowd.exe

Filesize
222KB

MD5
522a348b50b311b3509fe1edddfbd229

SHA1
20a926ba2590e1f5eb55e2629de3c9bd0ec60fc2

SHA256
81ffd14203bb4ae1dd4c2fe2fab7cdef1e6cace7b3461d24599a19f564968404

SHA512
cd7f79ecb8423b6824996196ef48144cf57baea4770ab4e06e534bda443f0f3920ddab8232a72cf44c2a6bd5688eeb82403c4520e0fd5c7ce293e12f74c272e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiowd.exe

Filesize
222KB

MD5
522a348b50b311b3509fe1edddfbd229

SHA1
20a926ba2590e1f5eb55e2629de3c9bd0ec60fc2

SHA256
81ffd14203bb4ae1dd4c2fe2fab7cdef1e6cace7b3461d24599a19f564968404

SHA512
cd7f79ecb8423b6824996196ef48144cf57baea4770ab4e06e534bda443f0f3920ddab8232a72cf44c2a6bd5688eeb82403c4520e0fd5c7ce293e12f74c272e2

Download Submit
\Users\Admin\AppData\Local\Temp\kiowd.exe

Filesize
222KB

MD5
522a348b50b311b3509fe1edddfbd229

SHA1
20a926ba2590e1f5eb55e2629de3c9bd0ec60fc2

SHA256
81ffd14203bb4ae1dd4c2fe2fab7cdef1e6cace7b3461d24599a19f564968404

SHA512
cd7f79ecb8423b6824996196ef48144cf57baea4770ab4e06e534bda443f0f3920ddab8232a72cf44c2a6bd5688eeb82403c4520e0fd5c7ce293e12f74c272e2

Download Submit
\Users\Admin\AppData\Local\Temp\kiowd.exe

Filesize
222KB

MD5
522a348b50b311b3509fe1edddfbd229

SHA1
20a926ba2590e1f5eb55e2629de3c9bd0ec60fc2

SHA256
81ffd14203bb4ae1dd4c2fe2fab7cdef1e6cace7b3461d24599a19f564968404

SHA512
cd7f79ecb8423b6824996196ef48144cf57baea4770ab4e06e534bda443f0f3920ddab8232a72cf44c2a6bd5688eeb82403c4520e0fd5c7ce293e12f74c272e2

Download Submit
\Users\Admin\AppData\Local\Temp\kiowd.exe

Filesize
222KB

MD5
522a348b50b311b3509fe1edddfbd229

SHA1
20a926ba2590e1f5eb55e2629de3c9bd0ec60fc2

SHA256
81ffd14203bb4ae1dd4c2fe2fab7cdef1e6cace7b3461d24599a19f564968404

SHA512
cd7f79ecb8423b6824996196ef48144cf57baea4770ab4e06e534bda443f0f3920ddab8232a72cf44c2a6bd5688eeb82403c4520e0fd5c7ce293e12f74c272e2

Download Submit
\Users\Admin\AppData\Local\Temp\kiowd.exe

Filesize
222KB

MD5
522a348b50b311b3509fe1edddfbd229

SHA1
20a926ba2590e1f5eb55e2629de3c9bd0ec60fc2

SHA256
81ffd14203bb4ae1dd4c2fe2fab7cdef1e6cace7b3461d24599a19f564968404

SHA512
cd7f79ecb8423b6824996196ef48144cf57baea4770ab4e06e534bda443f0f3920ddab8232a72cf44c2a6bd5688eeb82403c4520e0fd5c7ce293e12f74c272e2

Download Submit
\Users\Admin\AppData\Local\Temp\kiowd.exe

Filesize
222KB

MD5
522a348b50b311b3509fe1edddfbd229

SHA1
20a926ba2590e1f5eb55e2629de3c9bd0ec60fc2

SHA256
81ffd14203bb4ae1dd4c2fe2fab7cdef1e6cace7b3461d24599a19f564968404

SHA512
cd7f79ecb8423b6824996196ef48144cf57baea4770ab4e06e534bda443f0f3920ddab8232a72cf44c2a6bd5688eeb82403c4520e0fd5c7ce293e12f74c272e2

Download Submit
memory/2820-21-0x00000000003F0000-0x0000000000426000-memory.dmp

Filesize
216KB

Download
memory/2820-10-0x00000000003F0000-0x0000000000426000-memory.dmp

Filesize
216KB

Download
memory/3044-0-0x0000000000C40000-0x0000000000C76000-memory.dmp

Filesize
216KB

Download
memory/3044-18-0x0000000000C40000-0x0000000000C76000-memory.dmp

Filesize
216KB

Download
memory/3044-6-0x0000000000830000-0x0000000000866000-memory.dmp

Filesize
216KB

Download