urelas | 28d71402c52c0b3bb6fefd4d995cdc82f8e173c0a9e50eb690be37b228b46cfc

Analysis

max time kernel
122s
max time network
149s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe
Size

208KB
MD5

6c79bd474d3d1e64feadfdd3692b2b30
SHA1

1ca7accb91742c19efb726434cb36a7b7c1e75b8
SHA256

28d71402c52c0b3bb6fefd4d995cdc82f8e173c0a9e50eb690be37b228b46cfc
SHA512

a754ed34912d545f39b39cbf8cbdf6c46631a9d2e6b5780ee6ad4727010f0237318179c8e161eb9b7f3d88ed6c19a67541b876a1cd273df5a3c7e8e50146ddbf
SSDEEP

1536:DuhL7dKJY/aTztv1UF7+RcbpP/iOOaDXl32oNIVelT2r9ZLzi/4kgg57lmKwrr5k:GBKBy7+8pCOH1ch9ZLqrwrr58V2pmZ

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2068	waaqz.exe

Loads dropped DLL 5 IoCs

pid	Process
2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	2068	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2068	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	28
PID 2856 wrote to memory of 2068	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	28
PID 2856 wrote to memory of 2068	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	28
PID 2856 wrote to memory of 2068	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	28
PID 2856 wrote to memory of 3048	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	29
PID 2856 wrote to memory of 3048	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	29
PID 2856 wrote to memory of 3048	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	29
PID 2856 wrote to memory of 3048	2856	6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe	29
PID 2068 wrote to memory of 2668	2068	waaqz.exe	33
PID 2068 wrote to memory of 2668	2068	waaqz.exe	33
PID 2068 wrote to memory of 2668	2068	waaqz.exe	33
PID 2068 wrote to memory of 2668	2068	waaqz.exe	33

C:\Users\Admin\AppData\Local\Temp\6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\6c79bd474d3d1e64feadfdd3692b2b30_exe32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\waaqz.exe
  "C:\Users\Admin\AppData\Local\Temp\waaqz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 412
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
288B

MD5
c264646e85d9519350f32973a710032b

SHA1
ed5b9a66ebeb91279b7cea15b35ea742c7ae4a6a

SHA256
4391c33f967a8571dbff458e2ad15919acdd50c38d4a4310bb0dd29105c2c02c

SHA512
5eef1bff8d8692422b4fa363c718e8e46b4e855cf5a651bf2f0b20dd35f179314a154f9e9c269dc4d40c20bc74d6e0dd6a07777aea51ce4edf52880ebc37df9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
288B

MD5
c264646e85d9519350f32973a710032b

SHA1
ed5b9a66ebeb91279b7cea15b35ea742c7ae4a6a

SHA256
4391c33f967a8571dbff458e2ad15919acdd50c38d4a4310bb0dd29105c2c02c

SHA512
5eef1bff8d8692422b4fa363c718e8e46b4e855cf5a651bf2f0b20dd35f179314a154f9e9c269dc4d40c20bc74d6e0dd6a07777aea51ce4edf52880ebc37df9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d44bf4ca5466a41c01d71f84b0ab1453

SHA1
11c485e34f4e2f6f9e2e5f7c191be35d8023c4a3

SHA256
28049c9f651997db5afbda26a8d147a268d54a7bd6b5f2933a0c1ec224589f43

SHA512
029a4d4faf181e105fcb8ac5945089a3bb36b952cfac086366eb558154007203fe1a59aea70a109965901725955a0a440b00fd24d6152276f78ac13b53d897f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\waaqz.exe

Filesize
208KB

MD5
c77eaf4de20ad4ff1da49953cf531438

SHA1
e1447f1154326b0089dd2a37946a17c0ed1e7a69

SHA256
2e3669a57c64a852ad58e9a0792f71dab9364be00cac24a3fc9753377fa8000c

SHA512
4a823912d97241da9fa6b657175b0516471141725bc1fa0f87b9a90edb8bb72ef6fcb7043dbb5053b2dce19436a8fc2084fc674d77e10d45b3f39645297d328a

Download Submit
C:\Users\Admin\AppData\Local\Temp\waaqz.exe

Filesize
208KB

MD5
c77eaf4de20ad4ff1da49953cf531438

SHA1
e1447f1154326b0089dd2a37946a17c0ed1e7a69

SHA256
2e3669a57c64a852ad58e9a0792f71dab9364be00cac24a3fc9753377fa8000c

SHA512
4a823912d97241da9fa6b657175b0516471141725bc1fa0f87b9a90edb8bb72ef6fcb7043dbb5053b2dce19436a8fc2084fc674d77e10d45b3f39645297d328a

Download Submit
\Users\Admin\AppData\Local\Temp\waaqz.exe

Filesize
208KB

MD5
c77eaf4de20ad4ff1da49953cf531438

SHA1
e1447f1154326b0089dd2a37946a17c0ed1e7a69

SHA256
2e3669a57c64a852ad58e9a0792f71dab9364be00cac24a3fc9753377fa8000c

SHA512
4a823912d97241da9fa6b657175b0516471141725bc1fa0f87b9a90edb8bb72ef6fcb7043dbb5053b2dce19436a8fc2084fc674d77e10d45b3f39645297d328a

Download Submit
\Users\Admin\AppData\Local\Temp\waaqz.exe

Filesize
208KB

MD5
c77eaf4de20ad4ff1da49953cf531438

SHA1
e1447f1154326b0089dd2a37946a17c0ed1e7a69

SHA256
2e3669a57c64a852ad58e9a0792f71dab9364be00cac24a3fc9753377fa8000c

SHA512
4a823912d97241da9fa6b657175b0516471141725bc1fa0f87b9a90edb8bb72ef6fcb7043dbb5053b2dce19436a8fc2084fc674d77e10d45b3f39645297d328a

Download Submit
\Users\Admin\AppData\Local\Temp\waaqz.exe

Filesize
208KB

MD5
c77eaf4de20ad4ff1da49953cf531438

SHA1
e1447f1154326b0089dd2a37946a17c0ed1e7a69

SHA256
2e3669a57c64a852ad58e9a0792f71dab9364be00cac24a3fc9753377fa8000c

SHA512
4a823912d97241da9fa6b657175b0516471141725bc1fa0f87b9a90edb8bb72ef6fcb7043dbb5053b2dce19436a8fc2084fc674d77e10d45b3f39645297d328a

Download Submit
\Users\Admin\AppData\Local\Temp\waaqz.exe

Filesize
208KB

MD5
c77eaf4de20ad4ff1da49953cf531438

SHA1
e1447f1154326b0089dd2a37946a17c0ed1e7a69

SHA256
2e3669a57c64a852ad58e9a0792f71dab9364be00cac24a3fc9753377fa8000c

SHA512
4a823912d97241da9fa6b657175b0516471141725bc1fa0f87b9a90edb8bb72ef6fcb7043dbb5053b2dce19436a8fc2084fc674d77e10d45b3f39645297d328a

Download Submit
\Users\Admin\AppData\Local\Temp\waaqz.exe

Filesize
208KB

MD5
c77eaf4de20ad4ff1da49953cf531438

SHA1
e1447f1154326b0089dd2a37946a17c0ed1e7a69

SHA256
2e3669a57c64a852ad58e9a0792f71dab9364be00cac24a3fc9753377fa8000c

SHA512
4a823912d97241da9fa6b657175b0516471141725bc1fa0f87b9a90edb8bb72ef6fcb7043dbb5053b2dce19436a8fc2084fc674d77e10d45b3f39645297d328a

Download Submit
memory/2068-21-0x00000000003D0000-0x0000000000406000-memory.dmp

Filesize
216KB

Download
memory/2068-10-0x00000000003D0000-0x0000000000406000-memory.dmp

Filesize
216KB

Download
memory/2856-0-0x00000000008F0000-0x0000000000926000-memory.dmp

Filesize
216KB

Download
memory/2856-18-0x00000000008F0000-0x0000000000926000-memory.dmp

Filesize
216KB

Download
memory/2856-5-0x00000000008B0000-0x00000000008E6000-memory.dmp

Filesize
216KB

Download