Overview

overview

10

Static

static

10

ce8ca87ec8...34.exe

windows7-x64

10

ce8ca87ec8...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce8ca87ec8f90c74e6429e34ff62d534.exe

  • Size

    466KB

  • MD5

    ce8ca87ec8f90c74e6429e34ff62d534

  • SHA1

    2931ddec82c06082915984d15e4ce0eaf5df078d

  • SHA256

    05de7b25da85a683fe61ccb27ba33cd82852ee1feb615e05d9afbe066d247cd5

  • SHA512

    f8b07d16f04c0b1bfe4219cbe61efabec68112a3699d49483fcccfafe07734c6cd7310b85c1b395f327655b0efcb3c879b6627b4da83ea92d9fc4871a12490d1

  • SSDEEP

    12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UP:Y6tQCG0UUPzEkTn4AC1+0

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce8ca87ec8f90c74e6429e34ff62d534.exe
    "C:\Users\Admin\AppData\Local\Temp\ce8ca87ec8f90c74e6429e34ff62d534.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
      • Deletes itself
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\newif.exe
      "C:\Users\Admin\AppData\Local\Temp\newif.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\maelp.exe
        "C:\Users\Admin\AppData\Local\Temp\maelp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
    Filesize

    276B

    MD5

    83f487c832730dc208a15313da5df2dc

    SHA1

    232367be1ee8a820f7f7254a5d66148798abcff3

    SHA256

    7cc79edc6e53336cb43320abc2b837db7ebea0e5d73b337967ab0cd2ceba6db1

    SHA512

    6ff3f1805e7f344e1aa3f5b51405ef1a7efff7d8879b2b81814c1d37449de7ac461da438b890270176301591963e149310e72b08d02b601a606dfc50a16ce617

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    5ad670e9b8a28f4662981b69743effd1

    SHA1

    888bc4694786734f486596988a8fa8e096939236

    SHA256

    b5bb753c8a1461f21838ac9cc45d7a27f28e7ab65917444a71bdb561629f8f5b

    SHA512

    475144d9732a8cc14e25609d26ef4c17579270beef4bae8741cddeb036aad0cf77d7803d23bf769af607b439ce2619234535273eb05b6cc049bd3607a9f9a12a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\newif.exe
    Filesize

    466KB

    MD5

    43bf2011f1462adbc00356f47a58997a

    SHA1

    d0a4aebcd0ee37d7c51c47d7dd207db15d0f26af

    SHA256

    c568fa7877b1d7bc260abcd99b7bc8b1eace48b767ab76228db3c23e5cfefea8

    SHA512

    eac2c2737aa425ffcac3adb1e169ec8c10e23f5505c63ce5637ed79454ab056afb832662c9d7423917b3c5a99be2e8aa81a768223a7adc48f2f2152c76543eb4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\newif.exe
    Filesize

    99KB

    MD5

    ad5fc41a6a940c9419dea8f81c8f7d3b

    SHA1

    dee03c8ecd220b9dbd7e7a1f0e218c994e74640b

    SHA256

    60370bf326c4ee1bed114e5d7f6fbb04b43be4aeb225b9ae775c7cdb11d7725f

    SHA512

    061ed7c8f46e10b57517162078afad35f5916dfb9b6e59ab6d90ebdcd189e83f9ccf21ab274400f0f0bb22cfce7623175118e2e371de41ef2c46a6fa1708472e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\maelp.exe
    Filesize

    198KB

    MD5

    df505805b585ec194ee8e771782aaaac

    SHA1

    b725ad1e177f5167ad1044f9070cf2d8afef4932

    SHA256

    27b8ed55f9319459a3af4efbfcd9545aa01e80205d4cc5879bedfd2e78e56e96

    SHA512

    93313fa21c28bf149f24c33ce417a5929c0a884f11bcd298747b78ff81cd9148e1125d569ea389ded158e44cb0f4d014f77ae385c4f513eb89f361305d00778d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\newif.exe
    Filesize

    39KB

    MD5

    d4655025bb4d7745d7e9af03aaa8e184

    SHA1

    2faa5e27c59d40c00e2c7a35cc0441df0f4914c0

    SHA256

    209a95f27d84420eee9ce8c5887e91d6228a63864a9f31bbfa5bba316bf56e77

    SHA512

    2aa9e5740495fe61d717f0a43085f1f798cb0fe35b9b0c224c5ce13fb11724e6ba104599248b049f53879966337edd2d3a90a554231da2accec97a78c25119b4

    Download Submit

  • memory/2732-24-0x0000000003880000-0x000000000391F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2732-16-0x0000000000C40000-0x0000000000CBC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2732-28-0x0000000000C40000-0x0000000000CBC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2772-0-0x0000000000DA0000-0x0000000000E1C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2772-18-0x0000000000DA0000-0x0000000000E1C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2772-9-0x0000000000C00000-0x0000000000C7C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/3044-29-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3044-31-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3044-32-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3044-33-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3044-34-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3044-35-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3044-36-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download