urelas | 6a0cb915a305440c4c85830c53a10e106dddc94fc36c317ca7d682814ae399d6

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9207d62c7e2a8578f4f34d3322a05d84_JC.exe
Size

315KB
MD5

9207d62c7e2a8578f4f34d3322a05d84
SHA1

61ae5264a1bdecbf0183503c7003c0fc6081cf3c
SHA256

6a0cb915a305440c4c85830c53a10e106dddc94fc36c317ca7d682814ae399d6
SHA512

91df21974e94104c1239dc794f4c9bf42c2ffaa0c1e84d4d6221abb9910dc7bddd8f7bb3bd5654b2fb694c045205844d071c64d2791eb208feec435b87fce065
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+Xh:vHW138/iXWlK885rKlGSekcj66cih

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	jybit.exe
2100	wiynq.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe
2108	jybit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe
2100	wiynq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2108	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	28
PID 2212 wrote to memory of 2108	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	28
PID 2212 wrote to memory of 2108	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	28
PID 2212 wrote to memory of 2108	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	28
PID 2212 wrote to memory of 2756	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	30
PID 2212 wrote to memory of 2756	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	30
PID 2212 wrote to memory of 2756	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	30
PID 2212 wrote to memory of 2756	2212	9207d62c7e2a8578f4f34d3322a05d84_JC.exe	30
PID 2108 wrote to memory of 2100	2108	jybit.exe	33
PID 2108 wrote to memory of 2100	2108	jybit.exe	33
PID 2108 wrote to memory of 2100	2108	jybit.exe	33
PID 2108 wrote to memory of 2100	2108	jybit.exe	33

C:\Users\Admin\AppData\Local\Temp\9207d62c7e2a8578f4f34d3322a05d84_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9207d62c7e2a8578f4f34d3322a05d84_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\jybit.exe
  "C:\Users\Admin\AppData\Local\Temp\jybit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\wiynq.exe
    "C:\Users\Admin\AppData\Local\Temp\wiynq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
4f7b4bb52943640bc703f35035b1e215

SHA1
2fb618d9e165c33ac2dfcfbba46dbcfae2149551

SHA256
fb4535d9be207eae08fb992c872f8822421ee44558f37f863944bbb680c00720

SHA512
0529e2ccff52768c0bb6a766bb87b79df91b30c1e607b561c1e7d5b5e6609ed8c8d8bd44b42ca4f54db605fc3d1ab5e469fa99cfadb1fc9bdb5b3f435b62f174

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
4f7b4bb52943640bc703f35035b1e215

SHA1
2fb618d9e165c33ac2dfcfbba46dbcfae2149551

SHA256
fb4535d9be207eae08fb992c872f8822421ee44558f37f863944bbb680c00720

SHA512
0529e2ccff52768c0bb6a766bb87b79df91b30c1e607b561c1e7d5b5e6609ed8c8d8bd44b42ca4f54db605fc3d1ab5e469fa99cfadb1fc9bdb5b3f435b62f174

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0565ff35ef6de5ab71c2bc1e79593c13

SHA1
f7dd31ccd65bf55aacef433ec5d32d0edae857e1

SHA256
624ea27fbb855df15661ceb958261a8461e3754696d50d4e4e2961243c2627c3

SHA512
44661cb357248a524977eac4ab6926e480f90c84191400e124c08bb49b7ab4beca988911ee27a30d0c37682607af284fefd54c40c0674a150fc30ba45e0ca890

Download Submit
C:\Users\Admin\AppData\Local\Temp\jybit.exe

Filesize
315KB

MD5
40d9f2bf99a2e5daf8c0b20fbd4e5106

SHA1
aba1a41037be82796f7b9d639007b4a93200a343

SHA256
6117b02bec73ed1fc0a631f9c39663ce78be22bb1c5e1581dd807f014d3924a3

SHA512
396b3b8ca79d82af412d4adb32a9778cd4f3d101dc595e785939ff2afda70b31fbfac20a905ce987b32ed3d40f8453323303ebaf28b16a1c271859c6adfe735a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jybit.exe

Filesize
315KB

MD5
40d9f2bf99a2e5daf8c0b20fbd4e5106

SHA1
aba1a41037be82796f7b9d639007b4a93200a343

SHA256
6117b02bec73ed1fc0a631f9c39663ce78be22bb1c5e1581dd807f014d3924a3

SHA512
396b3b8ca79d82af412d4adb32a9778cd4f3d101dc595e785939ff2afda70b31fbfac20a905ce987b32ed3d40f8453323303ebaf28b16a1c271859c6adfe735a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiynq.exe

Filesize
172KB

MD5
a4652b2546f35d1510ae2feea9ea0aad

SHA1
67d6f627e31eab2d8cc1b1666dcd860f51710e06

SHA256
b66315e2eb7ee4ea48b11c233055fa7c109f4a287d14cc3f9293da5308edbe0d

SHA512
b93064cb4ac6902895966f4e2219d3012bc618bcb2e32737cb44c631759ea24b69fc325db25ffa66e0c055e1e57c0a9d7e9ad2cfb2bbf62b4174db268aad62d3

Download Submit
\Users\Admin\AppData\Local\Temp\jybit.exe

Filesize
315KB

MD5
40d9f2bf99a2e5daf8c0b20fbd4e5106

SHA1
aba1a41037be82796f7b9d639007b4a93200a343

SHA256
6117b02bec73ed1fc0a631f9c39663ce78be22bb1c5e1581dd807f014d3924a3

SHA512
396b3b8ca79d82af412d4adb32a9778cd4f3d101dc595e785939ff2afda70b31fbfac20a905ce987b32ed3d40f8453323303ebaf28b16a1c271859c6adfe735a

Download Submit
\Users\Admin\AppData\Local\Temp\wiynq.exe

Filesize
172KB

MD5
a4652b2546f35d1510ae2feea9ea0aad

SHA1
67d6f627e31eab2d8cc1b1666dcd860f51710e06

SHA256
b66315e2eb7ee4ea48b11c233055fa7c109f4a287d14cc3f9293da5308edbe0d

SHA512
b93064cb4ac6902895966f4e2219d3012bc618bcb2e32737cb44c631759ea24b69fc325db25ffa66e0c055e1e57c0a9d7e9ad2cfb2bbf62b4174db268aad62d3

Download Submit
memory/2100-43-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2100-47-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2100-50-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2100-49-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2100-48-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2100-46-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2100-38-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2100-41-0x0000000000260000-0x00000000002F9000-memory.dmp

Filesize
612KB

Download
memory/2108-40-0x0000000001230000-0x00000000012B1000-memory.dmp

Filesize
516KB

Download
memory/2108-18-0x0000000001230000-0x00000000012B1000-memory.dmp

Filesize
516KB

Download
memory/2108-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2108-36-0x0000000003590000-0x0000000003629000-memory.dmp

Filesize
612KB

Download
memory/2108-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2108-22-0x0000000001230000-0x00000000012B1000-memory.dmp

Filesize
516KB

Download
memory/2212-0-0x0000000001020000-0x00000000010A1000-memory.dmp

Filesize
516KB

Download
memory/2212-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2212-17-0x0000000001020000-0x00000000010A1000-memory.dmp

Filesize
516KB

Download