urelas | 41650b2d2e134e521c54fa3523fc261783954a8a75123e1f899ff9b39ec1a4e2

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131cb9e0d30d9ea4b5cb85ba049d7787.exe
Size

536KB
MD5

131cb9e0d30d9ea4b5cb85ba049d7787
SHA1

0951478224d75a98cd98511e6f1b911f20f66e42
SHA256

41650b2d2e134e521c54fa3523fc261783954a8a75123e1f899ff9b39ec1a4e2
SHA512

6208e1abc202b2f830b7167ea58a588fa5a7b541578968a9e33fd6a5589b73872909be3c219ed6ba543300849247ab748a27d807a4318c994ec3a1c4f5ed2485
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP7:q0P/k4lb2wKat7

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1864	bigaa.exe
2500	dyxuf.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe
1864	bigaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe
2500	dyxuf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1864	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	30
PID 2072 wrote to memory of 1864	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	30
PID 2072 wrote to memory of 1864	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	30
PID 2072 wrote to memory of 1864	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	30
PID 2072 wrote to memory of 3040	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	29
PID 2072 wrote to memory of 3040	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	29
PID 2072 wrote to memory of 3040	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	29
PID 2072 wrote to memory of 3040	2072	131cb9e0d30d9ea4b5cb85ba049d7787.exe	29
PID 1864 wrote to memory of 2500	1864	bigaa.exe	33
PID 1864 wrote to memory of 2500	1864	bigaa.exe	33
PID 1864 wrote to memory of 2500	1864	bigaa.exe	33
PID 1864 wrote to memory of 2500	1864	bigaa.exe	33

C:\Users\Admin\AppData\Local\Temp\131cb9e0d30d9ea4b5cb85ba049d7787.exe
"C:\Users\Admin\AppData\Local\Temp\131cb9e0d30d9ea4b5cb85ba049d7787.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\bigaa.exe
  "C:\Users\Admin\AppData\Local\Temp\bigaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\dyxuf.exe
    "C:\Users\Admin\AppData\Local\Temp\dyxuf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dyxuf.exe

Filesize
93KB

MD5
b021d3ebfb2b11afafa8a04fbee593c3

SHA1
7abf0ea2d55c515354d512a46b60180e98fe991c

SHA256
648d39ffce4fa5832893c90c10aa7a5f2bd9215eda0d63437edeed069f0a6fce

SHA512
d0912c901bd9e73d522784158ae8bc1bd6b1e1a8789c05e8d63edd9c3da90f9392fd690512c5063894526996c2735b4aa7e9d16f143484577caf676c499d0fb5

Download Submit
\Users\Admin\AppData\Local\Temp\dyxuf.exe

Filesize
236KB

MD5
7e685e24b3e4677ff0534215ea0bb854

SHA1
ed50cb648803864f1bfdc851f92a297a04043e66

SHA256
b1979c93d03be1c3eaa1cd3a696d8f96c35a8e0b3ac062c7ab115a9d67e3cfd4

SHA512
c0f9e84e572d58d3e90dbe7202fe385a608ea93d386393113a66074539a836c63737f1290756686e1811d7db2209530aa0c00691a2f859e2ad67e304ebd5ad50

Download Submit
memory/1864-29-0x0000000003260000-0x0000000003303000-memory.dmp

Filesize
652KB

Download
memory/1864-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1864-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2072-16-0x0000000002B60000-0x0000000002BEC000-memory.dmp

Filesize
560KB

Download
memory/2072-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2072-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2500-28-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2500-30-0x00000000013D0000-0x0000000001473000-memory.dmp

Filesize
652KB

Download
memory/2500-32-0x00000000013D0000-0x0000000001473000-memory.dmp

Filesize
652KB

Download
memory/2500-33-0x00000000013D0000-0x0000000001473000-memory.dmp

Filesize
652KB

Download
memory/2500-34-0x00000000013D0000-0x0000000001473000-memory.dmp

Filesize
652KB

Download
memory/2500-35-0x00000000013D0000-0x0000000001473000-memory.dmp

Filesize
652KB

Download
memory/2500-36-0x00000000013D0000-0x0000000001473000-memory.dmp

Filesize
652KB

Download