urelas | aecad675efd1e945a63d7854bca237b76b3deee96333a344d7d737a110d00384

Analysis

max time kernel
2s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6147359b5dc9aef6b8b948aee2518010.exe
Size

355KB
MD5

6147359b5dc9aef6b8b948aee2518010
SHA1

e505ffe55c7182bf8c5bb16c04f36bc6a997fbde
SHA256

aecad675efd1e945a63d7854bca237b76b3deee96333a344d7d737a110d00384
SHA512

e350b4184cf41deb94c45c384bf6e8c588aa7c3b2beba995b4544fcf66716f7c06f5814f7e5a5da6e86d171e7d8a2665bfd8132f24648e28edd434bfcba0bb2e
SSDEEP

6144:AmSxoGPeQ+tIOrOgFtFlBooGV8JI9PTdCfhS7rk2IEuFXV3WATRZ8HqRL8:lSxJ2OcDi2i9PjftuFXVGAMqF8

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Executes dropped EXE 1 IoCs

pid	Process
2084	nenaf.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	6147359b5dc9aef6b8b948aee2518010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2084	2212	6147359b5dc9aef6b8b948aee2518010.exe	30
PID 2212 wrote to memory of 2084	2212	6147359b5dc9aef6b8b948aee2518010.exe	30
PID 2212 wrote to memory of 2084	2212	6147359b5dc9aef6b8b948aee2518010.exe	30
PID 2212 wrote to memory of 2084	2212	6147359b5dc9aef6b8b948aee2518010.exe	30
PID 2212 wrote to memory of 2680	2212	6147359b5dc9aef6b8b948aee2518010.exe	29
PID 2212 wrote to memory of 2680	2212	6147359b5dc9aef6b8b948aee2518010.exe	29
PID 2212 wrote to memory of 2680	2212	6147359b5dc9aef6b8b948aee2518010.exe	29
PID 2212 wrote to memory of 2680	2212	6147359b5dc9aef6b8b948aee2518010.exe	29

C:\Users\Admin\AppData\Local\Temp\6147359b5dc9aef6b8b948aee2518010.exe
"C:\Users\Admin\AppData\Local\Temp\6147359b5dc9aef6b8b948aee2518010.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\nenaf.exe
  "C:\Users\Admin\AppData\Local\Temp\nenaf.exe"
  2⤵
  - Executes dropped EXE
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\sicov.exe
    "C:\Users\Admin\AppData\Local\Temp\sicov.exe"
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
050b3ca4c68fd35b5fef007c8de0a01d

SHA1
c5f5996c1e79a4c633f888b18245292b33513a76

SHA256
0a1349330e8d382aa080aa9a1b85763103a572e75158bc0faf05ede11361140e

SHA512
f100781191323cdf2b0a0a0ce5680d65e7bcfc5e1d643ebb9855190b520cab70356b3dfde53dfe1018be4a6fbf53ccd8e3618847cacd0455961ac632945f0232

Download Submit
memory/2008-38-0x00000000008C0000-0x0000000000974000-memory.dmp

Filesize
720KB

Download
memory/2008-43-0x00000000008C0000-0x0000000000974000-memory.dmp

Filesize
720KB

Download
memory/2008-42-0x00000000008C0000-0x0000000000974000-memory.dmp

Filesize
720KB

Download
memory/2008-41-0x00000000008C0000-0x0000000000974000-memory.dmp

Filesize
720KB

Download
memory/2008-39-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2084-36-0x0000000000830000-0x00000000008B6000-memory.dmp

Filesize
536KB

Download
memory/2084-21-0x0000000000830000-0x00000000008B6000-memory.dmp

Filesize
536KB

Download
memory/2084-37-0x0000000002250000-0x0000000002304000-memory.dmp

Filesize
720KB

Download
memory/2084-11-0x0000000000830000-0x00000000008B6000-memory.dmp

Filesize
536KB

Download
memory/2212-0-0x00000000012E0000-0x0000000001366000-memory.dmp

Filesize
536KB

Download
memory/2212-18-0x00000000012E0000-0x0000000001366000-memory.dmp

Filesize
536KB

Download
memory/2212-9-0x00000000010C0000-0x0000000001146000-memory.dmp

Filesize
536KB

Download