urelas | 05904c17e02ba3dcefffdd3a43099c74db1feab4b8d6995df40701ff8f271f22

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc645f3795787ffe14542e823b3ff9f0_exe32.exe
Size

322KB
MD5

cc645f3795787ffe14542e823b3ff9f0
SHA1

37218d2ccebf3cb852c5b25e95a9b3f65c4b4099
SHA256

05904c17e02ba3dcefffdd3a43099c74db1feab4b8d6995df40701ff8f271f22
SHA512

208dc1f787450ef825ec4c37b694dac518b070d7e311590cd6ec7472d23cd94100747e0ed38698c7dfa2976443646fde1e83d897bf99ea1cd49178b5df2b0900
SSDEEP

6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpe:PkXpd6jqiOIHZA3

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1084	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1332	oxkeq.exe
2744	teuwmo.exe
1016	foguj.exe

Loads dropped DLL 3 IoCs

pid	Process
2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe
1332	oxkeq.exe
2744	teuwmo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe
1016	foguj.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1332	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	31
PID 2012 wrote to memory of 1332	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	31
PID 2012 wrote to memory of 1332	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	31
PID 2012 wrote to memory of 1332	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	31
PID 2012 wrote to memory of 1084	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	30
PID 2012 wrote to memory of 1084	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	30
PID 2012 wrote to memory of 1084	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	30
PID 2012 wrote to memory of 1084	2012	cc645f3795787ffe14542e823b3ff9f0_exe32.exe	30
PID 1332 wrote to memory of 2744	1332	oxkeq.exe	29
PID 1332 wrote to memory of 2744	1332	oxkeq.exe	29
PID 1332 wrote to memory of 2744	1332	oxkeq.exe	29
PID 1332 wrote to memory of 2744	1332	oxkeq.exe	29
PID 2744 wrote to memory of 1016	2744	teuwmo.exe	34
PID 2744 wrote to memory of 1016	2744	teuwmo.exe	34
PID 2744 wrote to memory of 1016	2744	teuwmo.exe	34
PID 2744 wrote to memory of 1016	2744	teuwmo.exe	34
PID 2744 wrote to memory of 1968	2744	teuwmo.exe	36
PID 2744 wrote to memory of 1968	2744	teuwmo.exe	36
PID 2744 wrote to memory of 1968	2744	teuwmo.exe	36
PID 2744 wrote to memory of 1968	2744	teuwmo.exe	36

C:\Users\Admin\AppData\Local\Temp\cc645f3795787ffe14542e823b3ff9f0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\cc645f3795787ffe14542e823b3ff9f0_exe32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\oxkeq.exe
  "C:\Users\Admin\AppData\Local\Temp\oxkeq.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1332

C:\Users\Admin\AppData\Local\Temp\teuwmo.exe
"C:\Users\Admin\AppData\Local\Temp\teuwmo.exe" OK
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\foguj.exe
  "C:\Users\Admin\AppData\Local\Temp\foguj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
288B

MD5
cc0ba83365c689d704d4e5abd9f04b73

SHA1
c243c35589d5f11dba89baa86f1bbce93a750e35

SHA256
69125f611932d39d05bf3e4dfdac9c92af72fe1b466b5a146f09c25c4f9b24b7

SHA512
71527de4aac276c7ad4a2c107a8020c428872195a40c94fc001dd8fa2013eb5d188e85e8eb33f4ebef45b090c0a9d48d863e21637bf534c6e24440645c7eff78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
288B

MD5
cc0ba83365c689d704d4e5abd9f04b73

SHA1
c243c35589d5f11dba89baa86f1bbce93a750e35

SHA256
69125f611932d39d05bf3e4dfdac9c92af72fe1b466b5a146f09c25c4f9b24b7

SHA512
71527de4aac276c7ad4a2c107a8020c428872195a40c94fc001dd8fa2013eb5d188e85e8eb33f4ebef45b090c0a9d48d863e21637bf534c6e24440645c7eff78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3c319ca646a8fb28413a5523da58555e

SHA1
f93869593e1aad78100405061a12a88eaffdf3aa

SHA256
8de38d0bcc3a856e2df5551e22f50433f330222df610a94d528bafdfd92ad03b

SHA512
0e2042918da6fea4c83d235b8432bf2448e99068fa27783a1ffdd98f5b69ef98b18521ff21aaae77c49e45b84ce808fc62532b5d0559906e739e04d4edea2c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3c319ca646a8fb28413a5523da58555e

SHA1
f93869593e1aad78100405061a12a88eaffdf3aa

SHA256
8de38d0bcc3a856e2df5551e22f50433f330222df610a94d528bafdfd92ad03b

SHA512
0e2042918da6fea4c83d235b8432bf2448e99068fa27783a1ffdd98f5b69ef98b18521ff21aaae77c49e45b84ce808fc62532b5d0559906e739e04d4edea2c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\foguj.exe

Filesize
223KB

MD5
4f5b570ddc039800f10ac353d15d90bc

SHA1
c00165976c4d48020f54b92f69102c0cf172145f

SHA256
cfe286eec5ad6d49cc3fc4a4d03761220eed12f84cbd0ac44c963201d73857c4

SHA512
96a895bb323bea3b5b65131ae7ec068ec5076e0f29676750e0b5d225b2c7eac033cb90acae7e6b26e7bae4d40e7ee3a9b80c41fbe667eddec361bbf227427ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9261e1f4d21502fea99daf14aaa921b5

SHA1
24887240ea2cad56d4ed47af6f59d358598c6090

SHA256
dc347fee9e0e1d5b36c4a8253588d6a040c72d488417e77c040b88697c895398

SHA512
0f667bd25ca1a2f6338f8a21aa5e2ca1db32509ea25d35a1a6e1f9b5276ac5a50fcd30a911727b44a31b81708930e473b385832ca077d92c1b30829394aa7d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxkeq.exe

Filesize
323KB

MD5
45467952bcf2e4551a705eecb8f43fcf

SHA1
b2fecbef05878e6cb44807503e971772c59db19a

SHA256
631b0012184cdf9bdbd3d68010ea32aee9490cc6cf7b07fd31d509ef0401ba07

SHA512
142c9318ab63f2e81ef6191cffae707df33fef7e1a8940e02269f0dad35a8987bd04f6247a20537b021a3b1d03042d3b0a58b1af26af1e81539e203554af1a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxkeq.exe

Filesize
323KB

MD5
45467952bcf2e4551a705eecb8f43fcf

SHA1
b2fecbef05878e6cb44807503e971772c59db19a

SHA256
631b0012184cdf9bdbd3d68010ea32aee9490cc6cf7b07fd31d509ef0401ba07

SHA512
142c9318ab63f2e81ef6191cffae707df33fef7e1a8940e02269f0dad35a8987bd04f6247a20537b021a3b1d03042d3b0a58b1af26af1e81539e203554af1a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\teuwmo.exe

Filesize
323KB

MD5
9792977a603376321acc2f098e8f1113

SHA1
7d37629c85295660b8c6b8bb974def0a6ecafd62

SHA256
e45ede93e429c4f04a51a52664277f141057d24e11c115d7edaf0cc675759365

SHA512
c40006090d28fab79a73eaa567fa99a6b8b4070eb10f80a3c3c77d04935a96557f07721dd0e95c80798a3a059cc54dcaac4cbd9caa315feffa36c7da04fa55b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\teuwmo.exe

Filesize
323KB

MD5
9792977a603376321acc2f098e8f1113

SHA1
7d37629c85295660b8c6b8bb974def0a6ecafd62

SHA256
e45ede93e429c4f04a51a52664277f141057d24e11c115d7edaf0cc675759365

SHA512
c40006090d28fab79a73eaa567fa99a6b8b4070eb10f80a3c3c77d04935a96557f07721dd0e95c80798a3a059cc54dcaac4cbd9caa315feffa36c7da04fa55b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\teuwmo.exe

Filesize
323KB

MD5
9792977a603376321acc2f098e8f1113

SHA1
7d37629c85295660b8c6b8bb974def0a6ecafd62

SHA256
e45ede93e429c4f04a51a52664277f141057d24e11c115d7edaf0cc675759365

SHA512
c40006090d28fab79a73eaa567fa99a6b8b4070eb10f80a3c3c77d04935a96557f07721dd0e95c80798a3a059cc54dcaac4cbd9caa315feffa36c7da04fa55b3

Download Submit
\Users\Admin\AppData\Local\Temp\foguj.exe

Filesize
223KB

MD5
4f5b570ddc039800f10ac353d15d90bc

SHA1
c00165976c4d48020f54b92f69102c0cf172145f

SHA256
cfe286eec5ad6d49cc3fc4a4d03761220eed12f84cbd0ac44c963201d73857c4

SHA512
96a895bb323bea3b5b65131ae7ec068ec5076e0f29676750e0b5d225b2c7eac033cb90acae7e6b26e7bae4d40e7ee3a9b80c41fbe667eddec361bbf227427ab7

Download Submit
\Users\Admin\AppData\Local\Temp\oxkeq.exe

Filesize
323KB

MD5
45467952bcf2e4551a705eecb8f43fcf

SHA1
b2fecbef05878e6cb44807503e971772c59db19a

SHA256
631b0012184cdf9bdbd3d68010ea32aee9490cc6cf7b07fd31d509ef0401ba07

SHA512
142c9318ab63f2e81ef6191cffae707df33fef7e1a8940e02269f0dad35a8987bd04f6247a20537b021a3b1d03042d3b0a58b1af26af1e81539e203554af1a20

Download Submit
\Users\Admin\AppData\Local\Temp\teuwmo.exe

Filesize
323KB

MD5
9792977a603376321acc2f098e8f1113

SHA1
7d37629c85295660b8c6b8bb974def0a6ecafd62

SHA256
e45ede93e429c4f04a51a52664277f141057d24e11c115d7edaf0cc675759365

SHA512
c40006090d28fab79a73eaa567fa99a6b8b4070eb10f80a3c3c77d04935a96557f07721dd0e95c80798a3a059cc54dcaac4cbd9caa315feffa36c7da04fa55b3

Download Submit
memory/1016-63-0x0000000000A80000-0x0000000000B20000-memory.dmp

Filesize
640KB

Download
memory/1016-62-0x0000000000A80000-0x0000000000B20000-memory.dmp

Filesize
640KB

Download
memory/1016-61-0x0000000000A80000-0x0000000000B20000-memory.dmp

Filesize
640KB

Download
memory/1016-60-0x0000000000A80000-0x0000000000B20000-memory.dmp

Filesize
640KB

Download
memory/1016-59-0x0000000000A80000-0x0000000000B20000-memory.dmp

Filesize
640KB

Download
memory/1016-56-0x0000000000A80000-0x0000000000B20000-memory.dmp

Filesize
640KB

Download
memory/1016-54-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1332-15-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1332-30-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2012-5-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2012-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2012-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2012-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2012-1-0x00000000006E0000-0x0000000000723000-memory.dmp

Filesize
268KB

Download
memory/2744-32-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2744-44-0x0000000002E80000-0x0000000002F20000-memory.dmp

Filesize
640KB

Download
memory/2744-53-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2744-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2744-35-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2744-36-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2744-37-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download