urelas | d6151a74dfd8cf801fd50d64b55f7cbb460de07ab075aceb19293c6654dc02c4

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-10-2023 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

217e40a87a7b58f96a71855d84417be0_exe32_JC.exe
Size

454KB
MD5

217e40a87a7b58f96a71855d84417be0
SHA1

a6f57e4840b0f13ba6ea9e93cca756b51b017106
SHA256

d6151a74dfd8cf801fd50d64b55f7cbb460de07ab075aceb19293c6654dc02c4
SHA512

f9d67a98bb4d934d7ccc4ed9e0b46ea5bfc4c2b88e53e0813355380c5a32ac707dc586567c2e714c12f9df914948f1767b5a277d12c925d7c013ddf06652838c
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFb:CMpASIcWYx2U6hAJQn6

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1984	tyabv.exe
1624	modepy.exe
2892	moiva.exe

Loads dropped DLL 3 IoCs

pid	Process
2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe
1984	tyabv.exe
1624	modepy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe
2892	moiva.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1984	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	28
PID 2324 wrote to memory of 1984	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	28
PID 2324 wrote to memory of 1984	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	28
PID 2324 wrote to memory of 1984	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	28
PID 2324 wrote to memory of 2728	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	29
PID 2324 wrote to memory of 2728	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	29
PID 2324 wrote to memory of 2728	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	29
PID 2324 wrote to memory of 2728	2324	217e40a87a7b58f96a71855d84417be0_exe32_JC.exe	29
PID 1984 wrote to memory of 1624	1984	tyabv.exe	31
PID 1984 wrote to memory of 1624	1984	tyabv.exe	31
PID 1984 wrote to memory of 1624	1984	tyabv.exe	31
PID 1984 wrote to memory of 1624	1984	tyabv.exe	31
PID 1624 wrote to memory of 2892	1624	modepy.exe	34
PID 1624 wrote to memory of 2892	1624	modepy.exe	34
PID 1624 wrote to memory of 2892	1624	modepy.exe	34
PID 1624 wrote to memory of 2892	1624	modepy.exe	34
PID 1624 wrote to memory of 2356	1624	modepy.exe	35
PID 1624 wrote to memory of 2356	1624	modepy.exe	35
PID 1624 wrote to memory of 2356	1624	modepy.exe	35
PID 1624 wrote to memory of 2356	1624	modepy.exe	35

C:\Users\Admin\AppData\Local\Temp\217e40a87a7b58f96a71855d84417be0_exe32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\217e40a87a7b58f96a71855d84417be0_exe32_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\tyabv.exe
  "C:\Users\Admin\AppData\Local\Temp\tyabv.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\modepy.exe
    "C:\Users\Admin\AppData\Local\Temp\modepy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\moiva.exe
      "C:\Users\Admin\AppData\Local\Temp\moiva.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e6e02f6998149c87ed777f5f9d717078

SHA1
baeef606e76d0d40edf0496f006bdd1872c16c1a

SHA256
75d3cf60b7d25a58ff6e48d270a7dced49a762f6cc8a6a128e2cb6b04af439d9

SHA512
c3f6afee236d010bc8736abe25a52bc1f8d8c0ae5f15dd2d7b90d793742a6bf1a1d547f8e669c6ba536e6e83c9ef4591864d3e622ef63d5fe2295efad7ab405b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e6e02f6998149c87ed777f5f9d717078

SHA1
baeef606e76d0d40edf0496f006bdd1872c16c1a

SHA256
75d3cf60b7d25a58ff6e48d270a7dced49a762f6cc8a6a128e2cb6b04af439d9

SHA512
c3f6afee236d010bc8736abe25a52bc1f8d8c0ae5f15dd2d7b90d793742a6bf1a1d547f8e669c6ba536e6e83c9ef4591864d3e622ef63d5fe2295efad7ab405b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
294B

MD5
162ce3d9514831ed6f299cb3a0bf1b94

SHA1
7aeb39aa9a25bbc217e95d841b8d719332f6a554

SHA256
4faae3feb17c0f110a62bbdb83beac9b0f2a6a4f344862781bcda268d9947549

SHA512
101031ef4e6b523a826e7c47b38c4fa3c49c1e850517e5d73778e083a0bfc772ac0256c801f50192048060c795a253b5c0c5220dff8ae045b10eb8bf4c7fbdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
294B

MD5
162ce3d9514831ed6f299cb3a0bf1b94

SHA1
7aeb39aa9a25bbc217e95d841b8d719332f6a554

SHA256
4faae3feb17c0f110a62bbdb83beac9b0f2a6a4f344862781bcda268d9947549

SHA512
101031ef4e6b523a826e7c47b38c4fa3c49c1e850517e5d73778e083a0bfc772ac0256c801f50192048060c795a253b5c0c5220dff8ae045b10eb8bf4c7fbdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
090bea4afd5200d7b406b686f406db35

SHA1
d0099cd5de8b99e434ba669ff1735bf0bae4fba4

SHA256
9e9c2aad2398f878da996c4064ec46d27da9902deaee1e8202b16222bc3a8570

SHA512
1c11c16a1f8edce3f2d1f59ed268fef9ba0799fa5713d14d05f59736597daabb003245a8bc09a1ea01614dd3530417df4cbc495eed777244b2a295272fbbe52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\modepy.exe

Filesize
454KB

MD5
e6093d657971708c4d4aec1d91f367b9

SHA1
49f361d80d5d62f61c5390f29ab208dc036cc0f3

SHA256
1976de9a432c9cd8857c5df9a31ba3baad461fa215266769a222914f490b830e

SHA512
96f538995962fdc7e957d9924729158f4874f77c96cf9a686ae4d34512619a63e9ee27e688a024ae119668fc616f357d06bd12a15c90b6900c40cd2284b0d903

Download Submit
C:\Users\Admin\AppData\Local\Temp\modepy.exe

Filesize
454KB

MD5
e6093d657971708c4d4aec1d91f367b9

SHA1
49f361d80d5d62f61c5390f29ab208dc036cc0f3

SHA256
1976de9a432c9cd8857c5df9a31ba3baad461fa215266769a222914f490b830e

SHA512
96f538995962fdc7e957d9924729158f4874f77c96cf9a686ae4d34512619a63e9ee27e688a024ae119668fc616f357d06bd12a15c90b6900c40cd2284b0d903

Download Submit
C:\Users\Admin\AppData\Local\Temp\modepy.exe

Filesize
454KB

MD5
e6093d657971708c4d4aec1d91f367b9

SHA1
49f361d80d5d62f61c5390f29ab208dc036cc0f3

SHA256
1976de9a432c9cd8857c5df9a31ba3baad461fa215266769a222914f490b830e

SHA512
96f538995962fdc7e957d9924729158f4874f77c96cf9a686ae4d34512619a63e9ee27e688a024ae119668fc616f357d06bd12a15c90b6900c40cd2284b0d903

Download Submit
C:\Users\Admin\AppData\Local\Temp\moiva.exe

Filesize
223KB

MD5
48f214ff61a95eda81f6059f428eea8d

SHA1
cb96bcd5fce9a2197f7275ee97f6a432d2ca4b7f

SHA256
51abc9f6c767af362476824ac8e15909d4725969ea1c07259a7b16da703a0a9d

SHA512
2b1050163f902cd04445ab0c9ce8275c5f5a3f7070a9f34a3849495ae9a55899f7a68a206d59cd3f124f1e5e74386090b402f7c5bdec5c0648e022eb0cdf25a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyabv.exe

Filesize
454KB

MD5
9c1640cac62cae383f6aef9d336fd84f

SHA1
d77ea0973814af7293ec115ecee388df32054bd4

SHA256
8d6ef90c89e4274e079c630fc4791d7428a4a7b8521fa883d97173345fa51a5c

SHA512
73a220df5ba99c4e238757ec90bce6451b0a93e6090aba57ff2f588fcb4d511566fe04e248302f1780020071eb6b10a60c4aa34854a98a0ff60f2e25ec84d15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyabv.exe

Filesize
454KB

MD5
9c1640cac62cae383f6aef9d336fd84f

SHA1
d77ea0973814af7293ec115ecee388df32054bd4

SHA256
8d6ef90c89e4274e079c630fc4791d7428a4a7b8521fa883d97173345fa51a5c

SHA512
73a220df5ba99c4e238757ec90bce6451b0a93e6090aba57ff2f588fcb4d511566fe04e248302f1780020071eb6b10a60c4aa34854a98a0ff60f2e25ec84d15a

Download Submit
\Users\Admin\AppData\Local\Temp\modepy.exe

Filesize
454KB

MD5
e6093d657971708c4d4aec1d91f367b9

SHA1
49f361d80d5d62f61c5390f29ab208dc036cc0f3

SHA256
1976de9a432c9cd8857c5df9a31ba3baad461fa215266769a222914f490b830e

SHA512
96f538995962fdc7e957d9924729158f4874f77c96cf9a686ae4d34512619a63e9ee27e688a024ae119668fc616f357d06bd12a15c90b6900c40cd2284b0d903

Download Submit
\Users\Admin\AppData\Local\Temp\moiva.exe

Filesize
223KB

MD5
48f214ff61a95eda81f6059f428eea8d

SHA1
cb96bcd5fce9a2197f7275ee97f6a432d2ca4b7f

SHA256
51abc9f6c767af362476824ac8e15909d4725969ea1c07259a7b16da703a0a9d

SHA512
2b1050163f902cd04445ab0c9ce8275c5f5a3f7070a9f34a3849495ae9a55899f7a68a206d59cd3f124f1e5e74386090b402f7c5bdec5c0648e022eb0cdf25a1

Download Submit
\Users\Admin\AppData\Local\Temp\tyabv.exe

Filesize
454KB

MD5
9c1640cac62cae383f6aef9d336fd84f

SHA1
d77ea0973814af7293ec115ecee388df32054bd4

SHA256
8d6ef90c89e4274e079c630fc4791d7428a4a7b8521fa883d97173345fa51a5c

SHA512
73a220df5ba99c4e238757ec90bce6451b0a93e6090aba57ff2f588fcb4d511566fe04e248302f1780020071eb6b10a60c4aa34854a98a0ff60f2e25ec84d15a

Download Submit
memory/1624-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1624-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1624-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1624-36-0x00000000030E0000-0x0000000003180000-memory.dmp

Filesize
640KB

Download
memory/1984-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1984-25-0x0000000003050000-0x00000000030BE000-memory.dmp

Filesize
440KB

Download
memory/1984-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2324-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2324-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2892-47-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2892-48-0x0000000000370000-0x0000000000410000-memory.dmp

Filesize
640KB

Download
memory/2892-52-0x0000000000370000-0x0000000000410000-memory.dmp

Filesize
640KB

Download
memory/2892-53-0x0000000000370000-0x0000000000410000-memory.dmp

Filesize
640KB

Download
memory/2892-54-0x0000000000370000-0x0000000000410000-memory.dmp

Filesize
640KB

Download
memory/2892-55-0x0000000000370000-0x0000000000410000-memory.dmp

Filesize
640KB

Download
memory/2892-56-0x0000000000370000-0x0000000000410000-memory.dmp

Filesize
640KB

Download