urelas | b7f9d23a79a3584615b96aad5335707ca944ac2306c1c9d5558abd91bcb9d1ec

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4790440ba0e67149cff353930fb72ac7.exe
Size

535KB
MD5

4790440ba0e67149cff353930fb72ac7
SHA1

8124005da70ff24dbc969f0b85b81ee741727676
SHA256

b7f9d23a79a3584615b96aad5335707ca944ac2306c1c9d5558abd91bcb9d1ec
SHA512

1a4672d90139b23328714192e5522fde6d4f5cc89d8671200112f7266889ca625637412de77007d0ba5779f0e08d6a4f2e97e294ef88d9b1b448f164bdfb2af1
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP6:q0P/k4lb2wKat6

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	uznoe.exe
2244	tohip.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	4790440ba0e67149cff353930fb72ac7.exe
2716	uznoe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe
2244	tohip.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2716	2140	4790440ba0e67149cff353930fb72ac7.exe	28
PID 2140 wrote to memory of 2716	2140	4790440ba0e67149cff353930fb72ac7.exe	28
PID 2140 wrote to memory of 2716	2140	4790440ba0e67149cff353930fb72ac7.exe	28
PID 2140 wrote to memory of 2716	2140	4790440ba0e67149cff353930fb72ac7.exe	28
PID 2140 wrote to memory of 2728	2140	4790440ba0e67149cff353930fb72ac7.exe	29
PID 2140 wrote to memory of 2728	2140	4790440ba0e67149cff353930fb72ac7.exe	29
PID 2140 wrote to memory of 2728	2140	4790440ba0e67149cff353930fb72ac7.exe	29
PID 2140 wrote to memory of 2728	2140	4790440ba0e67149cff353930fb72ac7.exe	29
PID 2716 wrote to memory of 2244	2716	uznoe.exe	33
PID 2716 wrote to memory of 2244	2716	uznoe.exe	33
PID 2716 wrote to memory of 2244	2716	uznoe.exe	33
PID 2716 wrote to memory of 2244	2716	uznoe.exe	33

C:\Users\Admin\AppData\Local\Temp\4790440ba0e67149cff353930fb72ac7.exe
"C:\Users\Admin\AppData\Local\Temp\4790440ba0e67149cff353930fb72ac7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\uznoe.exe
  "C:\Users\Admin\AppData\Local\Temp\uznoe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\tohip.exe
    "C:\Users\Admin\AppData\Local\Temp\tohip.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
2de8bd8ef928282f9b1cfbf93a083273

SHA1
cc4b509f7325757f98d1ac05ba184f73af1b3703

SHA256
6cb160ca622a405c4ffe48c0dd543e6d09e876b4698f826c144303d7baee76ad

SHA512
af56ec60fb64dec494c870be4c9e0ffa522fea4c67f95b182a98dc70e323b313515c6fbf03d0b515b9e9bc2e6b058673086371f8d5d6a6fee946f3263f34c2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
391a3db4ab8080716921904336a434f5

SHA1
40b06e5b6bb2ad02d9b665b7d494ad7396d1b82a

SHA256
3a1ecea21b13177107e68783e4f3854c56314792af8acfa3eb023532011ba284

SHA512
8a3245020c6efcd76703cc276d2cb5602bc927d61bdb4af4d46383136560de22ed59874cc0326afea43ff29a01ede882133e4772c1de6d1328c3bcfc7213dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\uznoe.exe

Filesize
535KB

MD5
c731a50087d776d4f8a4bf8dbfbb676e

SHA1
239400cf547996805bd2e488fcf7a02a2994891d

SHA256
85b73edb06c64aee56fc0756e1f3fb5c2027c04deff5e614dcc0385edf68260f

SHA512
ff2a0a13d33f638af533f27dcca347baa6e9169ed694633133b9864d91c6c04b52c5713ff00403a31ca3392bf3c5b3abe0e72aab1924c93f7f16436d41c47069

Download Submit
\Users\Admin\AppData\Local\Temp\tohip.exe

Filesize
236KB

MD5
7c36d7a9b3377ed54539cb0d40286549

SHA1
be7cc8e58ce747a35c66f64df10de59e7a9c5821

SHA256
2f0630229fc11ce6926540c836005d44e288e4f95c98c11d667412f18253c14a

SHA512
77031e9a02bc9140c3406c81d75d8d3a8fb0baefe16b74fcee9d52e2243748c3f3030e1101c974603d67a252eecb46935ae13e4a7b241805f4c771243bbe8d3d

Download Submit
\Users\Admin\AppData\Local\Temp\uznoe.exe

Filesize
535KB

MD5
733be7d522b2729198079932c6b7b708

SHA1
0be20c28cc9d6c25a739cd5652c977e5d71d24ec

SHA256
c4225715de152192d4b1e6020bad8a7431a2617839d13d48d637a07d5e167942

SHA512
1de04b5ea9ccd9c3dd5e628ce821fd70539e94305e8891f9ccc3c9aed83dfe63234d585662e071c3d3c62d861d961d9f6f4934de35fce3b399903aecac8d4764

Download Submit
memory/2140-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2140-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2140-8-0x0000000002640000-0x00000000026CC000-memory.dmp

Filesize
560KB

Download
memory/2244-29-0x0000000000BD0000-0x0000000000C73000-memory.dmp

Filesize
652KB

Download
memory/2244-30-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2244-33-0x0000000000BD0000-0x0000000000C73000-memory.dmp

Filesize
652KB

Download
memory/2244-34-0x0000000000BD0000-0x0000000000C73000-memory.dmp

Filesize
652KB

Download
memory/2244-35-0x0000000000BD0000-0x0000000000C73000-memory.dmp

Filesize
652KB

Download
memory/2244-36-0x0000000000BD0000-0x0000000000C73000-memory.dmp

Filesize
652KB

Download
memory/2244-37-0x0000000000BD0000-0x0000000000C73000-memory.dmp

Filesize
652KB

Download
memory/2716-26-0x0000000003390000-0x0000000003433000-memory.dmp

Filesize
652KB

Download
memory/2716-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2716-10-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download