urelas | d0d73efe8ddf13325f7f136d18c18b0e8584a0747129ac7994a88054a448b168

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3994c840d6f44530b65344ae7db13510_JC.exe
Size

436KB
MD5

3994c840d6f44530b65344ae7db13510
SHA1

291b9f6494d6a4b3f105f8d91b558f90582164c5
SHA256

d0d73efe8ddf13325f7f136d18c18b0e8584a0747129ac7994a88054a448b168
SHA512

dad1da2bcdd177da87c6476268b8eb7c352c9890dc754c35320825dde5ecb320cbe6cb772eb74fd08547537cce9306f8fe4c68caac2ae534e52636aa2265eade
SSDEEP

3072:yZ3vlHjQhJ3wE8iGK01Py3Vvsa26nfjQb6uNHG+yi38/rwdusS9V0alO2alNjgSr:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjoO

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2376	wufos.exe

Loads dropped DLL 1 IoCs

pid	Process
1932	3994c840d6f44530b65344ae7db13510_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2376	1932	3994c840d6f44530b65344ae7db13510_JC.exe	28
PID 1932 wrote to memory of 2376	1932	3994c840d6f44530b65344ae7db13510_JC.exe	28
PID 1932 wrote to memory of 2376	1932	3994c840d6f44530b65344ae7db13510_JC.exe	28
PID 1932 wrote to memory of 2376	1932	3994c840d6f44530b65344ae7db13510_JC.exe	28
PID 1932 wrote to memory of 2820	1932	3994c840d6f44530b65344ae7db13510_JC.exe	29
PID 1932 wrote to memory of 2820	1932	3994c840d6f44530b65344ae7db13510_JC.exe	29
PID 1932 wrote to memory of 2820	1932	3994c840d6f44530b65344ae7db13510_JC.exe	29
PID 1932 wrote to memory of 2820	1932	3994c840d6f44530b65344ae7db13510_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\3994c840d6f44530b65344ae7db13510_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3994c840d6f44530b65344ae7db13510_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\wufos.exe
  "C:\Users\Admin\AppData\Local\Temp\wufos.exe"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
745c761610d54273088f162b02159ff8

SHA1
8e1d5a30b94bc32a89a4fa03d63c1904333143af

SHA256
76bf7f32d3daa0b7ac4396446ab14d616f774ffeeed76c40addf3e56e38069d6

SHA512
e1053d5b73ff6b11edb513f4ec1f8ecebd3c4e9805bae3d07cb2fb0fb3b9441c68efced3e37b2fe61c9aeef9555c5b8e4c3de9d69a8dc8118e3cbeb04765af55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
745c761610d54273088f162b02159ff8

SHA1
8e1d5a30b94bc32a89a4fa03d63c1904333143af

SHA256
76bf7f32d3daa0b7ac4396446ab14d616f774ffeeed76c40addf3e56e38069d6

SHA512
e1053d5b73ff6b11edb513f4ec1f8ecebd3c4e9805bae3d07cb2fb0fb3b9441c68efced3e37b2fe61c9aeef9555c5b8e4c3de9d69a8dc8118e3cbeb04765af55

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d573b71c0565a3bbee1d2944c9271a65

SHA1
cb61013bd75bc417ba94ad69974078448684fb1e

SHA256
af73fd7197a61a2a945073137bbfb9599065816cd966868b2e71c23bb4d17670

SHA512
bb94482f73bf26984aceb9f8e9905d887418a19987683a3e18b5b331ac46e8c0187af01502e8df00b561b56fd7974e5045957578a8946f1d6405f3d08f95b25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wufos.exe

Filesize
436KB

MD5
c9398f32f20d8f962d5924fccb6c137f

SHA1
7800d309a5d876fd86e048c87564c4f3fa73bca3

SHA256
81abfcb8c010e731dd62916c54d2c74df2161e81cfb06caaecb9570270fca92b

SHA512
a102bd4a1c396d0f7f67f5a730c78c93f2958900917eb5ff47024b7f886b338db31927ba0c5e077e2c0d9768edf8066e92817f0b9430bc6f4242fa0b1be95fbb

Download Submit
\Users\Admin\AppData\Local\Temp\wufos.exe

Filesize
436KB

MD5
c9398f32f20d8f962d5924fccb6c137f

SHA1
7800d309a5d876fd86e048c87564c4f3fa73bca3

SHA256
81abfcb8c010e731dd62916c54d2c74df2161e81cfb06caaecb9570270fca92b

SHA512
a102bd4a1c396d0f7f67f5a730c78c93f2958900917eb5ff47024b7f886b338db31927ba0c5e077e2c0d9768edf8066e92817f0b9430bc6f4242fa0b1be95fbb

Download Submit
memory/1932-0-0x0000000000D90000-0x0000000000DFE000-memory.dmp

Filesize
440KB

Download
memory/1932-6-0x0000000000BC0000-0x0000000000C2E000-memory.dmp

Filesize
440KB

Download
memory/1932-17-0x0000000000D90000-0x0000000000DFE000-memory.dmp

Filesize
440KB

Download
memory/2376-20-0x0000000000040000-0x00000000000AE000-memory.dmp

Filesize
440KB

Download