urelas | 43a6dbabf9d91478c9763b315004b2066d4f8dd539c223a0813cbba409253c96

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97aab0a912875f65ae91d3d67e5b4541.exe
Size

441KB
MD5

97aab0a912875f65ae91d3d67e5b4541
SHA1

dff953da77d139e9f7ecd6292d548d1df0cf46cf
SHA256

43a6dbabf9d91478c9763b315004b2066d4f8dd539c223a0813cbba409253c96
SHA512

23c9033497f6337811e878f24b43a64f6e3065699d60d31b803b93796988ec186ecfe69c699b11da5322efe0e4f8da7cd5c4c198009db8149315f63f47e40714
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMRJ2:rKf1PyKa2H3hOHOHz9JQ6zBGI

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1568	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	ebdap.exe
2436	coron.exe

Loads dropped DLL 2 IoCs

pid	Process
2992	97aab0a912875f65ae91d3d67e5b4541.exe
2928	ebdap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe
2436	coron.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2928	2992	97aab0a912875f65ae91d3d67e5b4541.exe	28
PID 2992 wrote to memory of 2928	2992	97aab0a912875f65ae91d3d67e5b4541.exe	28
PID 2992 wrote to memory of 2928	2992	97aab0a912875f65ae91d3d67e5b4541.exe	28
PID 2992 wrote to memory of 2928	2992	97aab0a912875f65ae91d3d67e5b4541.exe	28
PID 2992 wrote to memory of 1568	2992	97aab0a912875f65ae91d3d67e5b4541.exe	29
PID 2992 wrote to memory of 1568	2992	97aab0a912875f65ae91d3d67e5b4541.exe	29
PID 2992 wrote to memory of 1568	2992	97aab0a912875f65ae91d3d67e5b4541.exe	29
PID 2992 wrote to memory of 1568	2992	97aab0a912875f65ae91d3d67e5b4541.exe	29
PID 2928 wrote to memory of 2436	2928	ebdap.exe	33
PID 2928 wrote to memory of 2436	2928	ebdap.exe	33
PID 2928 wrote to memory of 2436	2928	ebdap.exe	33
PID 2928 wrote to memory of 2436	2928	ebdap.exe	33

C:\Users\Admin\AppData\Local\Temp\97aab0a912875f65ae91d3d67e5b4541.exe
"C:\Users\Admin\AppData\Local\Temp\97aab0a912875f65ae91d3d67e5b4541.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\ebdap.exe
  "C:\Users\Admin\AppData\Local\Temp\ebdap.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\coron.exe
    "C:\Users\Admin\AppData\Local\Temp\coron.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
c162196d272eab5db2945ec942a7b4e2

SHA1
16d11ddc66f802728d038737c937b76012f80399

SHA256
a82f0f80b474198dc2df109cf253f3c7fa5d2c3048897eb80a5acf56629058fc

SHA512
fb2edfed35fe95cadc67e60348c70ff569d02b7822a22deb44b71016d3891a3b0530976ad963958a1ffb52e3e46ff13aa43b114ce10df28475106e4601e8df64

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3cf17e82063dc29fc1c36ab4cecb3ef8

SHA1
4d4ddbc0fee563e57d628d89d5b1c7aa38507ce6

SHA256
50607138cf82e18b2c1f3a272a3828dd143e6dcbd1275c2da0914becccb0201a

SHA512
8b4c9703dc6dddb6b461bcdf7e852aacd5972202e3bceda44340b393d024c596bf1efc021d8234e69d37aaaa62fa951a511b3b05d3c9b0ed13fe0979c8cb07db

Download Submit
\Users\Admin\AppData\Local\Temp\coron.exe

Filesize
230KB

MD5
57dc73312222d08651864c63b50db71f

SHA1
f05c37fef3c371afc944fa69b0c8ecee6b58fe54

SHA256
ccfc3f9eb8c28022b128ef320480ce8db65f5f8a2073b2abbed0b0bc35165375

SHA512
6daaa1c0a2022dd84f220696a87630d6232f260421c6708e45e7239f41dab91bb92bc94492b44426f0f78dd76a2b5b3b9496c2796adf149bc5188f74db8e396c

Download Submit
\Users\Admin\AppData\Local\Temp\ebdap.exe

Filesize
441KB

MD5
8fffeb4ff37773249dfd76e3b38c631c

SHA1
73b28977a19d456b6e2ea5eac81d7a3501e1354d

SHA256
40616656647bb8381db1d7ff0aa8205359f38731e96bae52b67b01b28e362dfb

SHA512
f115afdbc0eb02f5044fc6524749a61c914c62560af63fd64579a98b3a684caf24685c52168a664505bc973e164c49358bf2ccd0f3dfc506b3081847fa8f044d

Download Submit
memory/2436-32-0x0000000000070000-0x000000000010E000-memory.dmp

Filesize
632KB

Download
memory/2436-29-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2436-28-0x0000000000070000-0x000000000010E000-memory.dmp

Filesize
632KB

Download
memory/2436-31-0x0000000000070000-0x000000000010E000-memory.dmp

Filesize
632KB

Download
memory/2436-33-0x0000000000070000-0x000000000010E000-memory.dmp

Filesize
632KB

Download
memory/2436-34-0x0000000000070000-0x000000000010E000-memory.dmp

Filesize
632KB

Download
memory/2436-35-0x0000000000070000-0x000000000010E000-memory.dmp

Filesize
632KB

Download
memory/2928-24-0x0000000003330000-0x00000000033CE000-memory.dmp

Filesize
632KB

Download
memory/2928-27-0x0000000000A30000-0x0000000000A9E000-memory.dmp

Filesize
440KB

Download
memory/2992-17-0x00000000009D0000-0x0000000000A3E000-memory.dmp

Filesize
440KB

Download
memory/2992-6-0x0000000001EA0000-0x0000000001F0E000-memory.dmp

Filesize
440KB

Download
memory/2992-0-0x00000000009D0000-0x0000000000A3E000-memory.dmp

Filesize
440KB

Download