urelas | 80a336845b1abc6b88bf47887b56344b8859a5a289fe3f037ea70e7b9e466280

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cde09a0f2b6d648cc015d8daac07a440.exe
Size

49KB
MD5

cde09a0f2b6d648cc015d8daac07a440
SHA1

72eeb73ffd274e997234b2a681536f1f76e88600
SHA256

80a336845b1abc6b88bf47887b56344b8859a5a289fe3f037ea70e7b9e466280
SHA512

f47472a77a014ac647a4ecd80f7c8e90b20f359371d529b4d51defbda05e3b435b442f15fa2800df1d5102a5a06b36f56e82a3ef67a50727da13bfc94a9bbfae
SSDEEP

1536:834/PC7Ruz3hRXRASULZ6JKYdbzcmhCZnt:It7R8fU6n8t

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2088	mokdhft.exe

Loads dropped DLL 1 IoCs

pid	Process
2184	cde09a0f2b6d648cc015d8daac07a440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2088	2184	cde09a0f2b6d648cc015d8daac07a440.exe	28
PID 2184 wrote to memory of 2088	2184	cde09a0f2b6d648cc015d8daac07a440.exe	28
PID 2184 wrote to memory of 2088	2184	cde09a0f2b6d648cc015d8daac07a440.exe	28
PID 2184 wrote to memory of 2088	2184	cde09a0f2b6d648cc015d8daac07a440.exe	28
PID 2184 wrote to memory of 2808	2184	cde09a0f2b6d648cc015d8daac07a440.exe	29
PID 2184 wrote to memory of 2808	2184	cde09a0f2b6d648cc015d8daac07a440.exe	29
PID 2184 wrote to memory of 2808	2184	cde09a0f2b6d648cc015d8daac07a440.exe	29
PID 2184 wrote to memory of 2808	2184	cde09a0f2b6d648cc015d8daac07a440.exe	29

C:\Users\Admin\AppData\Local\Temp\cde09a0f2b6d648cc015d8daac07a440.exe
"C:\Users\Admin\AppData\Local\Temp\cde09a0f2b6d648cc015d8daac07a440.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
  "C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
5cd2e6ce28567c670df35bc387afeba5

SHA1
b0e294672613abe281fb3a62472d81fb355fb4d8

SHA256
7f4e711b2d28d13e284e2aa4aa2ebc2e21869b3bc5b46387936e6c8422ca1977

SHA512
f5e5982d1abf53c0bd67c497abcc41b8816dad4b21747de3e18ae40da520a83250b6057a6273d5008665fe16411761f4d628d9d0fb69756f9ed8da486f48dc71

Download Submit
\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
49KB

MD5
b73f4e9951eee2d72070446982e23926

SHA1
2f4ec1b4d7944313a3f2885386e7d7a9b2e5cd18

SHA256
5e0b17e95d025b360173db6a79428e2f3f6834a05610b367fd69b23f3bf4e34b

SHA512
9a05b1254a8dda4c80c8abf7ea44b1d17aec87267e4d71ab69b514bd9515a5082f651d0834864cdb0cc4b4267c9e20524e7a4a66d475e342514446c69818d739

Download Submit
memory/2088-10-0x0000000000A00000-0x0000000000A33000-memory.dmp

Filesize
204KB

Download
memory/2088-21-0x0000000000A00000-0x0000000000A33000-memory.dmp

Filesize
204KB

Download
memory/2088-23-0x0000000000A00000-0x0000000000A33000-memory.dmp

Filesize
204KB

Download
memory/2088-29-0x0000000000A00000-0x0000000000A33000-memory.dmp

Filesize
204KB

Download
memory/2184-0-0x0000000000A80000-0x0000000000AB3000-memory.dmp

Filesize
204KB

Download
memory/2184-6-0x0000000000A00000-0x0000000000A33000-memory.dmp

Filesize
204KB

Download
memory/2184-18-0x0000000000A80000-0x0000000000AB3000-memory.dmp

Filesize
204KB

Download